nod32 not catching this one in the wild

Discussion in 'ESET NOD32 Antivirus' started by vtol, Apr 8, 2010.

Thread Status:
Not open for further replies.
  1. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    highly probable malware received via email, zipped attachment containing Facebook_document_56757.exe

    "
    Dear user of facebook,

    Because of the measures taken to provide safety to our clients, your password has been changed.
    You can find your new password in attached document.

    Thanks,
    Your Facebook.
    "


    Additional information
    File size: 59392 bytes
    MD5 : f1c88e12dddb0d3684a8cb2fd0a5d52b
    SHA1 : 5eeb0a8f1891a61d8862bf5ea7a299f2828a7dd9
    SHA256: 4d296f1d5cbd172176a120460adf7b330735d5cac5f6f874c92f547057c69d13
    PEInfo: PE Structure information

    ( base data )
    entrypointaddress.: 0x1F470
    timedatestamp.....: 0x46807471 (Tue Jun 26 04:05:37 2007)
    machinetype.......: 0x14C (Intel I386)

    ( 3 sections )
    name viradd virsiz rawdsiz ntrpy md5
    UPX0 0x1000 0x12000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
    UPX1 0x13000 0xD000 0xC600 7.86 3f9f87858e265c748c2d10498efa77b8
    .rsrc 0x20000 0x2000 0x1400 4.91 fd53f2329373c641a547409215e545c9

    ( 5 imports )

    > comctl32.dll: PropertySheetW
    > kernel32.dll: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
    > msvcrt.dll: free
    > oleaut32.dll: VariantInit
    > shlwapi.dll: StrCatW

    ( 0 exports )
    TrID : File type identification
    Win32 Executable Generic (38.4%)
    Win32 Dynamic Link Library (generic) (34.2%)
    Clipper DOS Executable (9.1%)
    Generic Win/DOS Executable (9.0%)
    DOS Executable Generic (9.0%)
    ThreatExpert: http://www.threatexpert.com/report.aspx?md5=f1c88e12dddb0d3684a8cb2fd0a5d52b
    ssdeep: 1536:baniByYM1rIPKyaTH2zkr5gNM89FPsw2hn7V1NnYSo8z:b5ByYTPDiHekrir9aj7uSoo
    sigcheck: publisher....: n/a
    copyright....: n/a
    product......: n/a
    description..: n/a
    original name: n/a
    internal name: n/a
    file version.: n/a
    comments.....: n/a
    signers......: -
    signing date.: -
    verified.....: Unsigned
    Prevx Info: http://info.prevx.com/aboutprogramtext.asp?PX5=DCD0DFDB0012B7D0E81100496D935000F7F7A6ED
    PEiD : -
    packers (Kaspersky): PE_Patch.UPX, UPX
    packers (F-Prot): UPX
    RDS : NSRL Reference Data Set
     
    Last edited: Apr 8, 2010
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I assume it was added to the last update issued a couple of hours ago.
     
  4. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    did submit the sample even prior posting here.

    and yes, it is in the update and now classified as Win32/Oficla.FV trojan

    what is worrisome though that is slipped under nod32's radar, not even advanced heuristics did detect it, considering that content of the file does not conceal its intention much. however, to be thorough and fair nod32 would have blocked the russian urls contacted to suck more stuff to the system
     
    Last edited: Apr 9, 2010
Thread Status:
Not open for further replies.