New Trojan Found

I found this on one of my client's computers. Does anyone have any ideas what this is? Once it gets in memory you can't see the file anymorein explorer. Its process doesn't show up in Task Manager, but shows up for a second in Process Explorer. Below is a zip with with the trojan. Please feel free to contact me at if you have any questions.

Deleted URL & emaill address. Pilli

 

Hi Zechlin, I removed your email addy for safety and the URL for Admin review:

Thanks. Pilli

 

Not a problem. I appreciate the help!

 

I did some reading and I don't think it's the f0r0r trojan. NAV Corp, AVG, and TDS-3 couldn't detect it.

In all my years this is the strangest little "program" I've ever seen.

 

OK, Hopefully someone will report back here about it

 

Is the Gavin the Great working on it as we speak? I'm all ears!

 

Hi there Zechlin, welcome to the forum.
Feel free to register as a member (free) so people can PM you.

Please never post links to malware in any forum, where less experienced users could get themselves into big trouble.
Just submit the zip to developers laboratories, like submit@diamondcs.com.au where they will come back with you with proper analysis and advice.

Pilli beat me to removing the link and your addy, and made sure the link is in Gavin's hands indeed
Yes, we're all interested to know about the report.

Was there more on your client's system? As many nasties don't come alone!

 

Yes, PSW.Briss.D was found on the machine as well as a lot of Spyware. Thanks!

 

Welcome as a new member and congratulations with your first member posting!

Glad you are cleaning out the system. It can take a few hours for Gavin to get back to us but fortunately they are in Perth half a day ahead of many!

 

I downloaded that file earlier.

McAfee, Bitdefender, Escan, A2, Ewido, Virus Total and Jottis all reported nothing. Although jotti did report a long time sandboxing and advised caution.

Looks suspect though.

 

Sounds like some sort of rootkit. Perhaps the new generation of spyware is here.

 

From DvK01. "It's very possible it's a new varient of BUBE as that tries to infect explorer.exe and some of the strings inside the file look remarkably similar ( but then most malware ones do ) and that hides itself when it has installed as well"

HTH Pilli

 

According to Jotti it's been packed with Yoda Protector http://yodap.cjb.net/. That's why you can't find any strings in it.

Yoda Protection features:
* Compress Sections.
* Polymorphism encryption.
* Import Table encryption/destruction.
* Anti Debug API's.
* SoftICE detection.
* CRC checking.
* API Redirection.
* Anti Dumping.
* Erase PE Header.
* Anti Debugger.
* Destroy relocation information.
* Destroy debug information.
* Eliminate DOS header.
* Optimize DOS header.
* Support OCX, DLL, and SCR files.

 

it is packed with yodaprotector. just checked it with a disassembler. beside of this the file shows "yP" as section name, that is the default section name for this protector. I'll take a look at it tomorrow.

 

Anyone have any ideas what this trojan does? Let me know what you think. Thanks!

 

Nice can o' worms Dvk It's a bank holidy in Western australia today so Gavin might not respond until tomorrow (Tuesday)

 

Anyone else hear those crickets?

 

Ah cricket, Now that is a serious game that the Aussies pinched from us Brits and now think they own it

Off topic Pilli

 

Just recieved the following email from Gavin:

Hi,

Definitely malicious, some sort of spyware or adware
Nuke it, I'll have to unpack it and analyse it much more before being able to add detection

Best regards,
Gavin

 

I recieved a reply from McAfee today.

------------------------------------------------------------
Potentially Unwanted Program added: Adware-StripPlayer
AVERT(tm) Labs, Aylesbury


Synopsis -

The thread is related to a backdoor but the sample sumbitted doesn't seem to
be related to that.
However, we found a dialer embedded into the encrypted body so we added
detection as Adware.

Please note that Adware are not viruses. This detection requires either the
command-line scanner (with /PROGRAM) or VirusScan 7 or later. Users running
VirusScan 7 or later can enable application or joke detection via the
configuration option "Find potentially unwanted programs" within the
VirusScan GUI.