installb[1].exe goes undetected

Discussion in 'ESET NOD32 Antivirus' started by SmackyTheFrog, Jul 9, 2009.

Thread Status:
Not open for further replies.
  1. SmackyTheFrog

    SmackyTheFrog Registered Member

    Joined:
    Nov 5, 2007
    Posts:
    767
    Location:
    Lansing, Michigan
    I've been having a problem with workstations getting hit with a malicious exe called "installb[1].exe" running in their profile and downloading additional trojans. It started popping up yesterday morning at which point I submitted a sample of it, but 4 signature updates later and still nothing. Shows up in %userprofile%\Local Settings\Temp\ and has a MD5 of 1d68fe6ef503f2c3969d7dadc19572f6. Microsoft seems to be the only one that has built an actual signature for it at this point: ~VirusTotal link link removed per Policy.~
    Can we get an update for this thing? I'm getting tired of sitting here and remotely killing off processes and cleaning up profiles.
     
    Last edited by a moderator: Jul 9, 2009
  2. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    Hi smacky, I'm going to guess you've already submitted the file? If not I'd send them an email with it and make sure you put "URGENT" in the title.
     
  3. SmackyTheFrog

    SmackyTheFrog Registered Member

    Joined:
    Nov 5, 2007
    Posts:
    767
    Location:
    Lansing, Michigan
    I've been submitting them through the gui since I frankly don't see any change in the response between the two methods. Might as well zip it up and sent out an email as well since I'm bothering to post about the thing.
     
  4. Mister Natural

    Mister Natural Registered Member

    Joined:
    May 10, 2007
    Posts:
    225
    Location:
    3rd density St. Louis
    Hey Smacky, Just curious, are these infections coming in via email or drive by web site hits?
     
  5. SmackyTheFrog

    SmackyTheFrog Registered Member

    Joined:
    Nov 5, 2007
    Posts:
    767
    Location:
    Lansing, Michigan
    Drive-by hits. Stuff seems to get dropped in the IE cache and then written to temp after which it stays in memory and starts pulling down god knows what else. The 4229 signatures seem to be picking up one variant of it now but I just came across another that gets missed.
     
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I've collected a couple of them from our sources and passed them to the vlab. I assume a generic signature will be created tomorrow, but as you know malware authors don't sleep and update their creations until they are undetected by particular AVs they focus on.
     
  7. Mister Natural

    Mister Natural Registered Member

    Joined:
    May 10, 2007
    Posts:
    225
    Location:
    3rd density St. Louis
    I'm sure you already know but make sure your adobe and flash players are up to date.
     
  8. SmackyTheFrog

    SmackyTheFrog Registered Member

    Joined:
    Nov 5, 2007
    Posts:
    767
    Location:
    Lansing, Michigan
    Flash is up to date but we're still stuck on an old version of Acrobat due to some compatibility issues with in-house software and v9. I figured that it has been a vector for some of the nasty stuff lately but I am stuck with it. Maybe forcing DEP in to opt-out mode on the workstations will help quiet it down.
     
  9. bradtech

    bradtech Guest

    I had a machine just hit big time with this.. This damn spywareprotect 2009 is bad news.. I had a guy on roadsidehazmat.com and got redirected to some foreign site off of it to a .php site.. I sent an urgent email to eset@samples.sk to the site with php.. It would be nice if the ESET labs can get to this site while it's still up, and somehow stop this thing from installing, and popping up trojan downloaders that try to go to Chinese, and Israeli sites to keep reinfecting it..

    This thing has been going wild for over a week now doing this..
     
Thread Status:
Not open for further replies.