Found a malicious file, not detected by NOD 2.7

Discussion in 'NOD32 version 2 Forum' started by smsmasters, Feb 7, 2008.

Thread Status:
Not open for further replies.
  1. smsmasters

    smsmasters Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    7
    I think I found a malicious file. When I run it, this is what it does:

    A lcass.exe file is created in C:\WINDOWS\system32\

    Creates a lcass.exe startup entry which can only be seen in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    It cannot be seen in msconfig>startup


    I am on XP Pro SP2 and NOD32 2.7 doesn't detect it. Spybot S&D reports it as "SCKeylogger".

    I have a link to the file if anyone else wants to test it but I won't post it here. PM me.

    I would really appreciate it if someone could help me analyse this file. I'm worried it still left traces on my pc even when I manually deleted it and I want to absolutely make sure it has left nothing else behind, I don't want to have to reformat my pc again.
     
  2. smsmasters

    smsmasters Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    7
    Re: Found a malicious file, not detected by NOD32

    Sorry for posting this in this section, I wasn't sure where to post it. This concerns NOD32 2.7, I don't have NOD32 3 so I don't know if it detects it.

    Also, you can only remove the startup entry in safe mode otherwise it will keep recreating automatically, I'm not sure what is causing this behaviour.
     
  3. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Re: Found a malicious file, not detected by NOD32

    No problem about the miss post and We are now in the appropriate forum ;)

    Edit:

    This was a keygen file and as suspected, neither of the 2 most used online scanners showed a detection by any of the AV's.

    Also, additional info can be gleamed from the below online sandbox results of the keygen.exe file:

    Sunbelt

    ThreatExpert

    KeyGen.gif
     
    Last edited: Feb 7, 2008
  4. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
  5. smsmasters

    smsmasters Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    7
    Re: Found a malicious file, not detected by NOD32

    Thanks for the analysis reports. So it seems like this file is indeed malicious then?

    Also, what is "\Device\RasAcd2 and how can I delete it from my system? I've deleted the other files.
     
  6. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Re: Found a malicious file, not detected by NOD32

    Lots of child executables, but no network connections, no autostart entries, no rootkit behaviour :doubt:
     
  7. smsmasters

    smsmasters Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    7
    Re: Found a malicious file, not detected by NOD32

    So what's the verdict on the file? Safe or unsafe? It's strange it creates the lcass.exe file and creates a registry startup entry.
     
  8. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Re: Found a malicious file, not detected by NOD32

    The Sunbelt Sandbox reports much more information than ThreatExpert.
    Acording to Sunbelt, that file launches a hidden instance of IE and initiates an outgoing connection to a remote server. This is malicious behaviour.
     
  9. smsmasters

    smsmasters Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    7
    Re: Found a malicious file, not detected by NOD32

    Based on the report what would you do to ensure there are no traces left behind?
     
  10. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Re: Found a malicious file, not detected by NOD32

    - Contact ESET support with a log of ESET's SysInspector and a link to this thread.
    - Going to a malware cleaning forum and post a Hijackthis log.
    - Format and start from scratch.
     
  11. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Re: Found a malicious file, not detected by NOD32

    Once the keygen.exe is executed all bets are off as noted with the "outgoing connection to a remote server" you noticed ;)
     
  12. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Re: Found a malicious file, not detected by NOD32

    Please compress the file with WinRAR/ZIP, protect the archive with the password "infected" and send it to samples[at]eset.com for analysis.
     
  13. smsmasters

    smsmasters Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    7
    Hi Marcos, I have PM'd you a link instead.
     
Thread Status:
Not open for further replies.