Acrobatupdate.exe unknown virus to Eset Smart Security 5.0.93.0 Virus Signature7137

Discussion in 'ESET Smart Security' started by somerandomguy, May 14, 2012.

Thread Status:
Not open for further replies.
  1. somerandomguy

    somerandomguy Registered Member

    Joined:
    May 14, 2012
    Posts:
    6
    Hi I picked up a virus off a torrent site.

    Eset Smart Security 5.0.93.0 Virus Signature Database 7137 (20120514) was unable to delete it, but was able to quarantine.

    I was able to manually clean it off in safe mode.

    Code:
    -Virus creates files in your user's AppData folder, hidden by default. 
    C:\Users\(Insert Username)\AppData\Local\Temp\Team.exe
    C:\Users\(Insert Username)\Appdata\Roaming\Acrobatupdate.exe
    C:\Users\(Insert Username)\Appdata\Roaming\TEAM (No file name extension)
    
    
    -Virus adds keys to the registy called "scvhost" to make windows automatically run the code each time you start your computer.
    
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ "scvhost" REG_SZ C:\Users\master\AppData\Roaming\Acrobatupdate.exe
    
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run  "scvhost" REG_SZ C:\Users\master\AppData\Roaming\Acrobatupdate.exe
    
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ "scvhost" REG_SZ C:\Users\master\AppData\Roaming\Acrobatupdate.exe
    
    -Virus creates a firewall opening under the name "Windows Messanger".
    
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\ "C:\Users\master\AppData\Roaming\Acrobatupdate.exe" REG_SZ C:\Users\master\AppData\Roaming\Acrobatupdate.exe:*:Enabled:Windows Messanger
    
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\ "C:\Users\master\AppData\Roaming\Acrobatupdate.exe" REG_SZ C:\Users\master\AppData\Roaming\Acrobatupdate.exe:*:Enabled:Windows Messanger
    
    
    Please add to definitions file, thanks.

    Somerandomguy
     
    Last edited: May 16, 2012
  2. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    have you submitted the files to eset?
     
  3. somerandomguy

    somerandomguy Registered Member

    Joined:
    May 14, 2012
    Posts:
    6
    yes i right clicked the file and sent for analysis and filled out some description.

    i googled for this virus but it's not well known yet

    update

    #1 top hit on goggle when searching Acrobatupdate.exe virus !

    The files residing in C:\Users\IUNH\AppData\ are not visible without first enabling hidden files and protected operating system files to be show in explorer.
     
    Last edited: May 14, 2012
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    If the threat was detected and ESET could not remove it even after a computer restart, I'd suggest contacting ESET's viruslab as per the instructions here. We haven't received any file with the name Acrobatupdate.exe, are you positive it didn't have a different name? Was a successful submission of the file logged in the ESET Event log?
     
    Last edited: May 15, 2012
  5. somerandomguy

    somerandomguy Registered Member

    Joined:
    May 14, 2012
    Posts:
    6
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Unfortunately, I still cannot find the file. You should see something like this when a threat is detected in memory:
    Operating memory » C:\Documents and Settings\Admin\Desktop\1ccd0866f8181008f828e7410e9d25e4772eda22f5e951d9acfc7c1da46c9aaa.exe - a variant of Win32/Injector.RGT trojan - cleaned by deleting (after the next restart) - quarantined [1,2]

    Please provide a screen shot with details of an on-demand scanner log displayed after double-clicking the log in the main Log pane as well as MD5 or SHA1 hash of the file in question.
     
  7. somerandomguy

    somerandomguy Registered Member

    Joined:
    May 14, 2012
    Posts:
    6
    I opened up my quarantine and submit for analysis from there. I took screenshot of exactly what you asked for, and no I'm not going to do MD5 check sum on something in quarantine as I don't even know how or where on the file hierarchy this quarantined file is located. Did you see the screenshot I made above?

    Hm come to think of it, this was a virus off a torrent site, not porn. The timestamp on the file shows this, and if I remember correctly I was looking for an app on demonoid to make iphone ringtones. The torrent in question was a copy of -http://www.imtoo.com/iphone-ringtone-maker.html-...
     
    Last edited by a moderator: May 16, 2012
  8. somerandomguy

    somerandomguy Registered Member

    Joined:
    May 14, 2012
    Posts:
    6
    I'm certain I know now where I got this worm from. It was from the iphone ringtone app I downloaded, I looked at the timestamps of when I got the worm and when I downloaded and installed that app and they are almost identical. Now when I open up it's properties, it looks identical to the properties of the Acrobatupdate.exe. I am unable to submit for analysis, I could zip it up or something and upload it somewhere. I'm getting an error when trying to submit for analysis.

    http://i48.tinypic.com/2h2gqw8.jpg
     
  9. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    follow the instructions here
     
  10. somerandomguy

    somerandomguy Registered Member

    Joined:
    May 14, 2012
    Posts:
    6
    sent per instructions
     
Thread Status:
Not open for further replies.