hidden file !readme.exe infected by Doomber.D

Discussion in 'malware problems & news' started by alex T, Nov 20, 2004.

Thread Status:
Not open for further replies.
  1. alex T

    alex T Registered Member

    Joined:
    Jan 12, 2004
    Posts:
    25
    AntiVir found a hidden file "!readme.exe" infected by doomber on my computer.
    I send it to virustotal and virusscan, only four AV report it as infected: AntirVir, Panda, Norman and Sybari (some under the name Ghostbot).
    Such readme.exe files are listed in virus definitions, but not with a leading exclamation mark, and if the file is hidden there is a very little chance that somebody clicks on it.

    Is it a false alarm or not?
     
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
  3. r3l4x

    r3l4x Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    19
    most of !readme.exe I've analyzed were infected by "Gobot" (better known as Ghost Bot) that's a trojan/IRC backdoor written by P0sitr0n using delphi language.

    So I could tell you that's almost sure the file isn't a false positive (however if you want to be sure you can send me the file at fileanalysis@email.it ;) )

    Regards

    :)
     
  4. r3l4x

    r3l4x Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    19
    sorry for the delay, I hadn't seen your e-mail :)

    Don't worry, that's a corrupted file, not dangerous :) Please delete it :)

    Best Regards :)
     
  5. alex T

    alex T Registered Member

    Joined:
    Jan 12, 2004
    Posts:
    25
    Thank you for this analysis.
    Even if it's an harmless damaged version, it doesn't explain how it had arrived on my computer. If the creation date is correct, it was there for two months.
     
  6. r3l4x

    r3l4x Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    19
    I could try to imagine how it was on your pc
    For example a not completed transfer on your pc. This worm use some ways to copy itself on a pc, for example by netbios. If the transfer encountered some problems, the file copied was damaged.
    Or, another example, a bad download from a peer to peer software that corrupted the file.
    These are only a try to give an explanation ;)

    Regards :)
     
Loading...
Thread Status:
Not open for further replies.