Unrecognizable yet "dangerous" file...

Discussion in 'NOD32 version 2 Forum' started by blipblop, Jun 3, 2006.

Thread Status:
Not open for further replies.
  1. blipblop

    blipblop Registered Member

    Joined:
    Jan 24, 2006
    Posts:
    15
    Recently I read in a greek forum about a keygen.exe file that if you tried to run it, it would do the following (according to what others said, by hex editing it):

    Deletes:

    C:\Program Files\winupdates
    C:\Windows\system32\gpedit.msc
    C:\Windows\System32\cmd.exe
    C:\Windows\pchealth\helpctr\binaries\msconfig.exe
    C:\Windows\regedit.exe
    C:\Windows\System32\taskmgr.exe
    C:\Windows\system32\mmc.exe
    C:\Windows\system32\reg.exe
    C:\Windows\system32\command.com
    C:\Program Files\winupdates\

    Disables:

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr

    Changes the first page of IE and loads ads from:

    hxxp://www.gmter.com/main/
    hxxp://www.whatsfind.com/route.html

    When they uploaded the file to Jotti's and Virustotal only 5 antivirus seemed to find something suspicious with it at that time (about 10 days ago):

    Avast: Win32:VB-MO
    BitDefender: Generic.Malware.Ssp.D9920CC9
    DrWeb: Trojan.Popuper
    Fortinet: suspicious
    Panda: Suspicious file

    One guy also said that he sent the file to Eset through email following the regular procedure, but till now NOD32 doesn't seem to recognize it...just yesterday Kaspersky reognized the uncompressed file as "Trojan.Win32.VB.aje" and the compressed as "virus modification: password protected exe".

    For testing purposes (and I hope I don't break any rules)

    Removed file. No links to suspected or confirmed malware on these forums. Read the Terms of Service - Ron

    DO NOT RUN IT JUST FOR THE SAKE OF IT...IT WILL DAMAGE YOUR SYSTEM!

    My personal question is, if Eset is aware of it...
     
    Last edited by a moderator: Jun 3, 2006
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,727
    Location:
    Texas
    blipblop

    Send the file to Eset. Don't post links to malware on these forums.
     
  3. blipblop

    blipblop Registered Member

    Joined:
    Jan 24, 2006
    Posts:
    15
    I apologise for that... :rolleyes:

    Should I really sent this file again? As I mentioned I can confirm that at least one more have done this a few days ago...
     
  4. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,727
    Location:
    Texas
    If the file has been sent, there is no reason to send it again.
     
  5. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    There.
     

    Attached Files:

  6. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    I've got a better one.

    ESET should have recieved this file twice - both in the last five minutes (once from virustotal and once from ThreatSense.Net)
    If detection is never added then that's OK with me. I understand that means it was no threat. :)

    Cheers :)
     

    Attached Files:

  7. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Yes...the old sample submission problem. ESET is again very "fast". I don't think Kaspersky add it as a threat and it's not. See that KAV is detecting it as a virus ..it has no "not-a-virus" label. :rolleyes:
     
  8. blipblop

    blipblop Registered Member

    Joined:
    Jan 24, 2006
    Posts:
    15
    Hmm...I wouldn't go that far to say "no threat", especially if it has already been recognized as the exact opposite by other software.

    Personally speaking, since I'm not experience in the matter, I can't say for sure if it falls into the trojan/virus category, but it does seem quiet harmful. I'd love to know though if this kind of file justifies such a "title".

    I waited about 9-10 days before deciding to open a thread about it and taking under consideration first that it had already been submitted to both Jotti, Virustotal and Eset. Problem is that if I run this at the moment, nobody is gonna stop it from provoking havoc to my system and my question is if any antivirus should warn me about it.
     
  9. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Well, I didn;t say that blipblop. I said the opposite...the file is dangerous. ;)
    Btw, Norman added detection for it..... ESET sleeping... :ouch:
     
  10. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Last edited: Jun 24, 2006
  11. blipblop

    blipblop Registered Member

    Joined:
    Jan 24, 2006
    Posts:
    15
    Hehe...yeah I know pykko. My post was referring to "NOD32 user" actually, but I was 1 minute late and it seemed like I was responding to your. ;)

    I do hope that Eset will eventually look into this. After all I decided to mention it around here, not in order to bash Eset's great work in general, but to focus into this asap. All I can tell regarding my conversations in that aforementioned forum is that heuristics didn't help much in this case unfortunately. :(
     
  12. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    After you mentioned keygen.exe I fired up some old p2p software and punched in the keyword 'keygen.exe' and pulled down the first 50 matches. All of them with just 2 exceptions was detected by at least one scanner at virustotal. Generally about 95%+ of executable files obtained via p2p are detected by something at virustotal. Generally only a small percentage of these will be likely to get directly added to NOD32's detection because of reasons mentioned elsewhere.

    I have it on very good authority that the sample I mentioned above quote 'does nothing'. Note that it is still detected by three different products anyway.

    blipblop with the sample you mentioned above - Quote 'Files are not deleted in any way (that are part of windows), but It just disables part of the registry....zoo sample'

    I might add that if there were files missing, then something else must have done it.

    Cheers :)
     
    Last edited: Jun 4, 2006
  13. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    nod32_user....
    this file is a threat whether you like to admitt it or not. It's ok for you to disable parts of the registry and to download adds?
     
  14. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    The first file will be added most likely in the upcoming update, the other appears to be benign - it does perform any suspicious action. BTW, it seem to be a trojan that changes some system policies and regiters itself in the run key so nothing extraordinary.
     
  15. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    thx, Marcos for the news. ;)
     
  16. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    here's the updated result from virustotal.com. :thumb:
     

    Attached Files:

  17. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Thanks for the confirmation Marcos

    Cheers :)
     
  18. blipblop

    blipblop Registered Member

    Joined:
    Jan 24, 2006
    Posts:
    15
    Thanks for taking care of it! :)

    Honestly I was a bit surprised that heuristics didn't help much in this case...by intuition alone and according to what I read from others, it didn't seem that "special". You could tell its actions (more or less) even by simple hex editing it.

    Nevertheless good work...
     
Thread Status:
Not open for further replies.