Trojan.Dropper.ExeBundle.AC MISSED by NOD32

Appears to be a rebase or repack of the following variant. Only 3 products found it, NOD32 missed it, even in /AH operations.. Ugh I uploaded the file to my website, if anyone wants to take a look, let me know in PM and i'll send you a link so not to swamp my bandwidth allotment.

AKA: (probably a rebased variant of dropper?)

MultiDropper-FD
Win32:Trojan-gen. {UPX!}
Trojan horse Dropper.ExeBundle.AC
Trojan.Muldrop.660
TrojanDropper.Win32.ExeBund

So far:

NOD32: Missed (including /AH command line option for Advanced Heuristics)
BitDefender: Missed
BOClean: Missed
TDS3: Missed
Ewido: Missed
Trojan Remover: Missed
Trend Online: Missed
Panda Full Edition: Missed
Antivir(H+Bdev): Missed (Including their new deep heuristic engine)
Symantec Corporate: Missed (yes, super heuristics were ON)
PCcillin(trend): Missed
eTRUST: Missed

Dr.Web: Found
McAfee: Found
KAV5: Found (note, their online scan MISSED, but installed product got)
EDIT: F-Secure also nailed this guy, and the baddies INSIDE this guy!

 

ExeBundle probably refers to a program that can do a silent dropping/execution of files. It's not malware in itself, and some might use it for a good purpose..

I'm not sure it should be detected. Whatever it is dropping might be malware, and detected as such, though.

Best regards,
Anders

 

Oh its a real threat all right.. Kevin over at BOClean dissected this badboy, and found that indeed its nasty. Not only is the packed thingy a problem, but inside that, are a few undefined "Mystery Meats" as he calls them. I don't have permission to repost Kevins email to me describing the exact makeup of this new threat, perhaps he will surf past here soon. But needless to say, i've sent this file off to most of the AV/AT products out, and only BOClean has responded with detailed analysis of it, including adding protection from it.

Sadly, NOD32 missed BOTH the packer AND all of the badguys INSIDE the packed file (Rebased). This is a big-time miss, but NOD32 isn't alone, most products missed it as I said above, only 4 AV's picked it up.

I'm rather puzzled to hear that you think NOD32 might shouldn't detect a program that is OFTEN used to drop trojans according to what I read, and in fact, in this case, its being used to drop a few NEW REBASED trojans at the same time? (which were missed by NOD32 as well)

Download the file I PM'd you, run it, then come back and tell me if you feel that NOD32 shouldn't detect it.. That is if your test system still boots.

 

Eset has had it for 24 hours. Kevin had it for maybe an hour, and issued some updates to fix this up nicely, and responded with more data on the file. Currently, I have 2 tech-friends testing it more on virtual machines.

Ewido also has this file, no word back from him yet, but Ewido update today didn't change its lack of detection. TDS3 doesn't have it yet, I don't know where to send it.

BitDefender has it as well, and I think a couple others, I forgot.

You also have a PM with information on how to get it from me, but PLEASE don't post that publicly, as I just slapped it up on my website because its too large to email. (Its shareware anyway).

 

Hi, Kobra

Try Here:- submit@diamondcs.com.au
Take Care,
TheQuest

Sorry mail Link not a Link
Fixed

 

Update: its been sent to TDS3

 

Just as a matter of interest you've already included some definitions for ExeBundle in your product:

NOD32 - v.1.539 (20031022)
Win32/TrojanDropper.Exebundle.131, Win32/TrojanDropper.Exebundle.131.dropper, Win32/TrojanDropper.Exebundle.22, Win32/TrojanDropper.Exebundle.23, Win32/TrojanDropper.Exebundle.272, Win32/TrojanDropper.Exebundle.28,

What this says to me, as a layman, is that you've considered Exebundle a threat before, which seems to be in contradiction to what you've just posted here.

What it also suggests to me is that you're not able to dynamically detect newly repacked versions (because you cannot unpack them to check the contents) and can only detect the versions you've had submitted to you in the past.

Again, purely as a matter of interest, exactly how many packers and archivers does your product support? I obviously don't want you to list each one, as that would only highlight which tool to use to repack and circumvent your product, but a ballpark figure of the number of supported methods would be appreciated.

Redd.

 

Yeah, thanks but that's a 'such as', I want figures of all to get some idea of just how seriously they're covering base on the repacking thing.

 

Update: Here was ESETS response -

http://home.comcast.net/~prolawn00/eset.JPG

As for the others... TDS, Ewido, BOClean have already added definitions for the packer and the baddies inside the packer.

 

That's just too funny.

 

Bad Kobra, bad.

LMAO.

"Trojans? Bah! We will kill them all, God willing."

(oh don't get me started. LOL)

 

lmao, well done Kobra

Cheers