Undetected trojan

Discussion in 'ESET NOD32 Antivirus' started by chx86, Mar 27, 2009.

Thread Status:
Not open for further replies.
  1. chx86

    chx86 Registered Member

    Joined:
    Mar 27, 2009
    Posts:
    6
    Hello!

    Recently a few of my MSN Messenger buddies have tried to send me a file containing a trojan, which is not detected by NOD32 or any other major antivirus.

    The trojan hooks itself into AIM and MSN messenger and sends itself to people on your contact list. After the file has been run, it is copied to the Windows folder and a registry key is added to make it auto start. It then joins a channel on what seems to be a custom made IRCd. I have tried connecting to this IRCd using a raw TCP connection and sending various commands to list the channel without any luck.

    I was unable to submit a sample of this executable inside NOD32, so I am posting it here instead since I know ESET moderators checks this forum.

    The file is avaliable for download here:

    ~Link removed. No links to possible malware are to be posted on the forum.~

    To prevent anyone from just randomly clicking this link, the file is protected with a password. The password is "virus".

    Regards,
    Peter
     
    Last edited by a moderator: Mar 27, 2009
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,719
    Location:
    Texas
  3. chx86

    chx86 Registered Member

    Joined:
    Mar 27, 2009
    Posts:
    6
    This trojan has been in the wild for about 1 week by now, and I have still not seen any major antivirus vendor add it to its virus definition. I have submitted samples to F-secure, Norton and ESET.

    Four of my friends has been infected (independently of each others) by this trojan. I really thought ESET would be faster and more responsive in a situation like this. I still have the original executable file that got distributed over MSN Messenger and AIM, in case someone needs it.
     
  4. PaulB2005

    PaulB2005 Registered Member

    Joined:
    Apr 19, 2005
    Posts:
    525
    Have you submited a copy as per the link above?
     
  5. chx86

    chx86 Registered Member

    Joined:
    Mar 27, 2009
    Posts:
    6
    Yes I have. I also checked my web server log and I can confirm that the link I sent to ESET was accessed by an IP address that is owned by ESET.

     
  6. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Is there an alternative direct uplink ESET malware sample page? There is no way i could upload so many of my daily collections by email as that page suggests.

    Others do offer direct upload pages just for this purpose. For dial up users especially it's faster then email IMO.

    Thanks

    EASTER
     
  7. NAMOR

    NAMOR Registered Member

    Joined:
    May 19, 2004
    Posts:
    1,526
    Location:
    Arkham Asylum
    Would FTP do?
    https://www.wilderssecurity.com/showpost.php?p=1381799&postcount=21
     
  8. chx86

    chx86 Registered Member

    Joined:
    Mar 27, 2009
    Posts:
    6
    Uploaded a sample of the trojan. Lets hope they add it to the signature database this time :)
     
  9. GrammatonCleric

    GrammatonCleric Registered Member

    Joined:
    Jan 8, 2009
    Posts:
    372
    I hope you have better luck in response time then most of us.
    It looks that even after we spoon feed them the samples they still take their sweet time.
    Maybe your sample will now take priority after reading this thread and the thread linked to it.
    It's just sad that you have to open a case, and write a thread for a spoon fed sample to be detected.
    Read this thread for more details, you are not alone.
    https://www.wilderssecurity.com/showthread.php?t=237315
     
  10. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    The file in question, uploaded to our ftp today, is already detected. Detection was added last week:
    C:\DSC0020090325-GIF.EXE » CAB » burx.exe - IRC/SdBot trojan
     
  11. chx86

    chx86 Registered Member

    Joined:
    Mar 27, 2009
    Posts:
    6
    It is correct nod32 does indeed detect the file I uploaded. However, if your computer has been infected before ESET included this trojan in the virus definition database, it will still remain infected since that file extracts another binary to your windows home folder, which is also run at startup.

    I have submitted another sample to the FTP server named "Administrator.exe", which I also believe should be included in the definition database.

    Thanks,
    Peter
     
  12. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    The proper way for submitting samples is to compress the file with WinRAR/ZIP, protect the archive with the password "infected" and email it to samples[at]eset.com. There's no official way for submitting files via ftp. By the way, the file dropped is correctly identified as IRC/Sdbot trojan.
     
    Last edited: Mar 31, 2009
Thread Status:
Not open for further replies.