Found a malicious file, not detected by NOD 2.7

I think I found a malicious file. When I run it, this is what it does:

A lcass.exe file is created in C:\WINDOWS\system32\

Creates a lcass.exe startup entry which can only be seen in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

It cannot be seen in msconfig>startup


I am on XP Pro SP2 and NOD32 2.7 doesn't detect it. Spybot S&D reports it as "SCKeylogger".

I have a link to the file if anyone else wants to test it but I won't post it here. PM me.

I would really appreciate it if someone could help me analyse this file. I'm worried it still left traces on my pc even when I manually deleted it and I want to absolutely make sure it has left nothing else behind, I don't want to have to reformat my pc again.

 

Re: Found a malicious file, not detected by NOD32

Sorry for posting this in this section, I wasn't sure where to post it. This concerns NOD32 2.7, I don't have NOD32 3 so I don't know if it detects it.

Also, you can only remove the startup entry in safe mode otherwise it will keep recreating automatically, I'm not sure what is causing this behaviour.

 

Re: Found a malicious file, not detected by NOD32

No problem about the miss post and We are now in the appropriate forum

Edit:

This was a keygen file and as suspected, neither of the 2 most used online scanners showed a detection by any of the AV's.

Also, additional info can be gleamed from the below online sandbox results of the keygen.exe file:

Sunbelt

ThreatExpert

 

Re: Found a malicious file, not detected by NOD32

There shouldn't be any difference in detection between the two.

Follow the instructions in this thread;

https://www.wilderssecurity.com/showthread.php?t=178177

 

Re: Found a malicious file, not detected by NOD32

Thanks for the analysis reports. So it seems like this file is indeed malicious then?

Also, what is "\Device\RasAcd2 and how can I delete it from my system? I've deleted the other files.

 

Re: Found a malicious file, not detected by NOD32

Lots of child executables, but no network connections, no autostart entries, no rootkit behaviour

 

Re: Found a malicious file, not detected by NOD32

So what's the verdict on the file? Safe or unsafe? It's strange it creates the lcass.exe file and creates a registry startup entry.

 

Re: Found a malicious file, not detected by NOD32

The Sunbelt Sandbox reports much more information than ThreatExpert.
Acording to Sunbelt, that file launches a hidden instance of IE and initiates an outgoing connection to a remote server. This is malicious behaviour.

 

Re: Found a malicious file, not detected by NOD32

Based on the report what would you do to ensure there are no traces left behind?

 

Re: Found a malicious file, not detected by NOD32

- Contact ESET support with a log of ESET's SysInspector and a link to this thread.
- Going to a malware cleaning forum and post a Hijackthis log.
- Format and start from scratch.

 

Re: Found a malicious file, not detected by NOD32

Once the keygen.exe is executed all bets are off as noted with the "outgoing connection to a remote server" you noticed

 

Re: Found a malicious file, not detected by NOD32

Please compress the file with WinRAR/ZIP, protect the archive with the password "infected" and send it to samples[at]eset.com for analysis.

 

Hi Marcos, I have PM'd you a link instead.