anybody knows how to stop this?

Discussion in 'other anti-virus software' started by sach1000rt, Aug 6, 2007.

Thread Status:
Not open for further replies.
  1. sach1000rt

    sach1000rt Registered Member

    Joined:
    May 29, 2007
    Posts:
    171
    Location:
    india
    today i got one file called googletalk which was win32 cabinet self extractor. so i tried to install it but first i scanned it with avira and avira didnt detect anything.
    So i happilly went on to install it on midway eqsecure alerted somthing which was normal with any HIPS but after 3 alerts it alerted of something which was unusual so i submitted that file to virustotal scanner, only bitdefender, avg and webwasher deteceted it as generic malware or suspicious.So i went on to install it.
    Now on midway of installation avira started alerting as it was trojan horse. so i
    just aborted installation and checked access deny option in avira alert.
    when i restarted pc new instance of svchost32.exe was running and avira detected it again and i checked delete option but its not deleting i tried mannually from avira alerts to go to that folder but i dont find anythig there(i checked show system hidden folders option.).

    so i think its one of those zero days threats.
    anyone knows how to stop it?
     
  2. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    Download GoogleTalk from Google and Yahoo Messenger from Yahoo. If somehow you are unable to do so then atleast download them from well known websites like CNET, Major Geeks, etc.

    GoogleTalk installer has a digital signature issued by VeriSign. Most files from big companies are digitally signed, another way of assuring that they are not tempered.

    Please check your GoogleTalk installer for this signature, if its not there then its definitely a malware. If yes then its an FP.

    In any case please submit the file to Avira for further analysis.
     
  3. sach1000rt

    sach1000rt Registered Member

    Joined:
    May 29, 2007
    Posts:
    171
    Location:
    india
    thank u for suggestion. well it was downloaded by my friend yesterday. i just saw its signeture and it was something like win32 self extractor from microsoft.

    after installing it there was one extra startup program called svchost32 and when i configured it not to run on startup it automatically started everytime.
    and after few seconds avira detected 2 files as trojan horse one of them from c drive only and another from temp internet files. i knew its defenitly a malware cause i had expirience with similar type of trojan which called itself svchost and it was one of startup item that time whenever i closed it automatically loaded.

    ok. the problem has been solved. when i submitted it to virustotal only 4 found it as generic malware or suspicious. prevx was one of them. so i installed prevx and the problem has been cleaned up.thakx
    and i submitted the file to av vendors including avira.
     
  4. sach1000rt

    sach1000rt Registered Member

    Joined:
    May 29, 2007
    Posts:
    171
    Location:
    india
    well, kaspersky replied to the submitted file that this file has been detected as
    "Backdoor.Win32.Rbot.byj " and it will be added on next update.
    and avira has also replied that they are going to add it.
     
  5. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    GoogleTalk installer is NOT a Microsoft self-extracting cabinet file! Moreover, the digital signature is different. Please check the following website to get the idea.

    http://www.shavlik.com/digsigpatch1.aspx
     
  6. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    nice to see they're going to add it. :)
     
  7. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Defensewall, Sandboxie, PowerShadow, Returnil, FDISR, GesWall, Virtual Machines and or imaging to name a few.
     
  8. Thug21

    Thug21 Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    141
    Location:
    Illinois
    Next time if a file you run through VirusTotal comes up with several "hits," be very, very suspicious of it. At least I would be. :)

    Glad you were able to clean up your pc. :)
     
  9. sach1000rt

    sach1000rt Registered Member

    Joined:
    May 29, 2007
    Posts:
    171
    Location:
    india
    thanks for suggestion thug21.
    But what if virustotal doesnt come to use i mean if the file u scan is a new malware then no scanner will detect it. in this case same thing happened with virus total.
     
  10. Doc Serenity

    Doc Serenity Registered Member

    Joined:
    Apr 4, 2007
    Posts:
    105
    Makes me think of simple things like HIPS and LUA's.
     
  11. sach1000rt

    sach1000rt Registered Member

    Joined:
    May 29, 2007
    Posts:
    171
    Location:
    india
    i just submitted it to virus total and only 6 scanners have detected it .
    kaspersky,avira, f-secure have included in their database just a day before yesterday i think. before that only three scanners have detected it as some suspicious malware.
     
Loading...
Thread Status:
Not open for further replies.