Undetected trojan

Hello!

Recently a few of my MSN Messenger buddies have tried to send me a file containing a trojan, which is not detected by NOD32 or any other major antivirus.

The trojan hooks itself into AIM and MSN messenger and sends itself to people on your contact list. After the file has been run, it is copied to the Windows folder and a registry key is added to make it auto start. It then joins a channel on what seems to be a custom made IRCd. I have tried connecting to this IRCd using a raw TCP connection and sending various commands to list the channel without any luck.

I was unable to submit a sample of this executable inside NOD32, so I am posting it here instead since I know ESET moderators checks this forum.

The file is avaliable for download here:

~Link removed. No links to possible malware are to be posted on the forum.~

To prevent anyone from just randomly clicking this link, the file is protected with a password. The password is "virus".

Regards,
Peter

 

This trojan has been in the wild for about 1 week by now, and I have still not seen any major antivirus vendor add it to its virus definition. I have submitted samples to F-secure, Norton and ESET.

Four of my friends has been infected (independently of each others) by this trojan. I really thought ESET would be faster and more responsive in a situation like this. I still have the original executable file that got distributed over MSN Messenger and AIM, in case someone needs it.

 

Have you submited a copy as per the link above?

 

Yes I have. I also checked my web server log and I can confirm that the link I sent to ESET was accessed by an IP address that is owned by ESET.

 

Is there an alternative direct uplink ESET malware sample page? There is no way i could upload so many of my daily collections by email as that page suggests.

Others do offer direct upload pages just for this purpose. For dial up users especially it's faster then email IMO.

Thanks

EASTER

 

Would FTP do?
https://www.wilderssecurity.com/showpost.php?p=1381799&postcount=21

 

Uploaded a sample of the trojan. Lets hope they add it to the signature database this time

 

I hope you have better luck in response time then most of us.
It looks that even after we spoon feed them the samples they still take their sweet time.
Maybe your sample will now take priority after reading this thread and the thread linked to it.
It's just sad that you have to open a case, and write a thread for a spoon fed sample to be detected.
Read this thread for more details, you are not alone.
https://www.wilderssecurity.com/showthread.php?t=237315

 

The file in question, uploaded to our ftp today, is already detected. Detection was added last week:
C:\DSC0020090325-GIF.EXE » CAB » burx.exe - IRC/SdBot trojan

 

It is correct nod32 does indeed detect the file I uploaded. However, if your computer has been infected before ESET included this trojan in the virus definition database, it will still remain infected since that file extracts another binary to your windows home folder, which is also run at startup.

I have submitted another sample to the FTP server named "Administrator.exe", which I also believe should be included in the definition database.

Thanks,
Peter

 

The proper way for submitting samples is to compress the file with WinRAR/ZIP, protect the archive with the password "infected" and email it to samples[at]eset.com. There's no official way for submitting files via ftp. By the way, the file dropped is correctly identified as IRC/Sdbot trojan.