Reporting suspected new trojan

Discussion in 'NOD32 version 2 Forum' started by seaephpea, Sep 22, 2006.

Thread Status:
Not open for further replies.
  1. seaephpea

    seaephpea Registered Member

    Joined:
    Sep 22, 2006
    Posts:
    8
    I have a suspected trojan downloader on my PC and I have a reasonable hunch which file initially caused the infection, yet it is not being picked up by Nod32/Spybot/AdAware/Trojan Hunter.

    Is there somewhere I could submit the file for analysis?

    The chief symptom is that Firefox is starting (windowless) at startup and is trying to connect to pichingo.redirectme.net using TCP port 2000.

    I e-mailed the "report abuse" address for "redirectme.net" and they have now disabled that account, which I presume means it is now "mostly harmless" at least.

    Thanks,

    cfp
     
  2. Joliet Jake

    Joliet Jake Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    911
    Location:
    Scotland
  3. seaephpea

    seaephpea Registered Member

    Joined:
    Sep 22, 2006
    Posts:
    8
    Ooops how embarassing. Sorry!

    cfp
     
  4. ASpace

    ASpace Guest

    Can you find the suspected file and submit to ESET as well as to VirusTotal .
     
  5. seaephpea

    seaephpea Registered Member

    Joined:
    Sep 22, 2006
    Posts:
    8
    I've already submitted it to Eset. I'll submit it to VirusTotal as well though.

    cfp
     
  6. seaephpea

    seaephpea Registered Member

    Joined:
    Sep 22, 2006
    Posts:
    8
    Results removed due to forum rules. In short more antiviruses failed to find anything than did, and NOD32 was in the first group.
     
    Last edited: Sep 23, 2006
  7. Londonbeat

    Londonbeat Registered Member

    Joined:
    Sep 21, 2006
    Posts:
    350
    Hello seaephpea

    You may want to modify your post as I don't think we are allowed to post any screenshots or info from virustotal or jotti on here anymore.
     
  8. ASpace

    ASpace Guest

    I know we are some kind of forbidden to post VT's reports but the point here is not to show who detect this and who doesn't but to see if this is not a False Positive . Obviously , it is not as wee see however ESET will add it when they find it appropriate (https://www.wilderssecurity.com/showpost.php?p=198429&postcount=18)

    Thank you !

    Seaephpea , I recommend you check your NOD32 settings with Blackspear's tutorial and perform full scan with NOD32 . Also run Ewido Micro .

    Good luck ! :thumb:
     
  9. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    The fact that a file os flagged by more AVs does not automatically indicates that it's not a false positive. Actually, I've come across a bunch of files flagged by more AVs which were actually false positives. This does not seem to be the case, however, and detection will be added shortly.
     
    Last edited by a moderator: Sep 23, 2006
  10. seaephpea

    seaephpea Registered Member

    Joined:
    Sep 22, 2006
    Posts:
    8
    I ran an Ewido Anti-Spyware scan yesterday and I think that has cleaned it. Firefox is no longer being started at log-in at least.

    I'll give Ewido Micro a go too though to be safe.

    cfp
     
  11. seaephpea

    seaephpea Registered Member

    Joined:
    Sep 22, 2006
    Posts:
    8
    Ahh Ewido Micro is Ewido Anti-Spyware. I hadn't realised.

    cfp
     
  12. ASpace

    ASpace Guest

    You are right , Marcos ! Sorry !



    ,
    which is excellent !

    :thumb: :thumb: :thumb:
     
    Last edited by a moderator: Sep 23, 2006
  13. seaephpea

    seaephpea Registered Member

    Joined:
    Sep 22, 2006
    Posts:
    8
    OK the infected file gets put in C:\windows\system32\micorsoft.exe (note misspelling). I'm sure I looked at system32 by date modified, but I must have missed it.

    cfp
     
  14. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
  15. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    I for one don't think it's still undetected :)
     
  16. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    that's a good news then. ;)
     
Thread Status:
Not open for further replies.