Virus

Discussion in 'NOD32 version 2 Forum' started by al_ufa, Apr 30, 2007.

Thread Status:
Not open for further replies.
  1. al_ufa

    al_ufa Registered Member

    Joined:
    Apr 30, 2007
    Posts:
    3
    this virus nod32 can not find, but avp yet already does this

    ~Link Removed - Ron~

    will soon be a renovation of the bases nod32?
     
    Last edited by a moderator: Apr 30, 2007
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,719
    Location:
    Texas
    Hello al_ufa,

    Please send any samples you find to Eset rather than posting links here on the forum.
     
  3. ASpace

    ASpace Guest

    I checked that page before Ron removes the link and I believe that there is no malware there . Site Advisor confirms.Possible false positive for AVP/KAV.
     
  4. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    If you still have a copy of the file, submit it to PC Tools threat expert (see below):

    http://www.pctools.com/threat-expert/

    Submitting it there will give you a report via email about the file's characteristics and behaviour. Then at least you will have a vague idea of whether it is actually malicious or not. If threat expert does not detect and suspicious behaviour, then its probably an FP with KAV. :)
     
  5. The_Duality

    The_Duality Registered Member

    Joined:
    Apr 3, 2007
    Posts:
    276
    Location:
    Liverpool, UK
    Ditto, i also checked and got no warning of malware, and Firefox WOT (like site-advisor) flags the website as trustworthy.
     
  6. al_ufa

    al_ufa Registered Member

    Joined:
    Apr 30, 2007
    Posts:
    3
    ~jpgs containing link to malware removed. - Ron~
     
    Last edited by a moderator: May 1, 2007
  7. NAMOR

    NAMOR Registered Member

    Joined:
    May 19, 2004
    Posts:
    1,526
    Location:
    Arkham Asylum
    I tried the link in the first pic with Dr.Web and got the following result. It looks like Avira,ArcaVir,AVG, VBA32 are flagging the file as well. Did you send sample(s) to Eset like ronjor suggested? If not, I can...

    http://img.photobucket.com/albums/v219/NAMOR/drweb.png
     
    Last edited by a moderator: May 1, 2007
  8. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    It looks like it is indeed malware. I checked the demo.exe file, and it is infected with a trojan horse. I think those of you who who have visited the site may already be infected. I do not think, however that the PHP file is infected.

    demo.exe is infected, detected by ArcaVir, AntiVir, AVG, Dr.Web, Kaspersky and VBA32. Apparently it is a trojan downloader. I am submitting it to PC Tools Threat Expert for further analysis. AVG picked this up on my computer as well (even the free edition detects this). :)

    Those of you who visited the webpage with an AV that didn't detect this, watch out, check your PC carefully. But this may yet be an FP. I will submit a thorough report of this file once I get feedback from PC Tools. :)
     
    Last edited by a moderator: May 1, 2007
  9. al_ufa

    al_ufa Registered Member

    Joined:
    Apr 30, 2007
    Posts:
    3

    I gave him reference, which have deleted in the first message.
     
  10. NAMOR

    NAMOR Registered Member

    Joined:
    May 19, 2004
    Posts:
    1,526
    Location:
    Arkham Asylum

    I checked the PHP link and Drweb's realtime scanner didn't find anything while the java applet was being launched, but scanning my Docs and Settings folder resulted in the following.

    http://img.photobucket.com/albums/v219/NAMOR/drweb2.png
     
  11. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Got the results from Threat Expert. It says that this file (demo.exe) is 100% malware.

    1)There was a new process created in the system:

    Process name: [filename of the sample#1]
    Process filename: [path and filename of the sample#1]
    Main module size: 229, 376 bytes

    2)There was a new memory page created in the address space of the system processes:

    Process Name: svchost.exe
    Process filename: %System%\svchost.exe

    The data identified by the following URL was then requested from a remote web server (website removed for safety reasons)

    Analysis of the Downloaded file:

    1)The following files were created in the system:

    - %System%\rsvp32_2.dll (ASPack packed)
    - [file and pathname of the sample #1]
    - %System%\sporder.dll

    2) There is a new process created in the system:

    Process name: Name of the sample
    Process filename: File and pathname of the sample #1
    Size: 86,016 bytes

    New kernel mode driver is installed in the system:

    %System%\drivers\ws2ifsl.sys

    3)
    • The following Registry Keys were created:
      • HKEY_LOCAL_MACHINE\SOFTWARE\WinSock2
      • HKEY_LOCAL_MACHINE\SOFTWARE\WinSock2\rsv
      • HKEY_LOCAL_MACHINE\SOFTWARE\WinSock2\rsv\009609f2-4582-4efb-b9b4-5fd3ff48d7d3
      • HKEY_LOCAL_MACHINE\SOFTWARE\WinSock2\rsv\3acfb079-93af-4c85-aa69-944c63daf039
      • HKEY_LOCAL_MACHINE\SOFTWARE\WinSock2\rsv\48e4d553-95e2-48c3-82db-249281f76f12
      • HKEY_LOCAL_MACHINE\SOFTWARE\WinSock2\rsv\4c7f0322-1f28-4126-80ae-5dd9a4bd8fa0
      • HKEY_LOCAL_MACHINE\SOFTWARE\WinSock2\rsv\724c5150-695c-4d29-a376-ebd8c3ac2889
      • HKEY_LOCAL_MACHINE\SOFTWARE\WinSock2\rsv\8e5b72f4-01c0-4826-b4fe-fd6e2e0e3717
      • HKEY_LOCAL_MACHINE\SOFTWARE\WinSock2\rsv\d39c6198-0f0d-48b9-acbd-3d78af92e24e
      • HKEY_LOCAL_MACHINE\SOFTWARE\WinSock2\rsv\d9657a0d-302e-4aad-b393-e2f15c808bd7
      • HKEY_LOCAL_MACHINE\SOFTWARE\WinSock2\rsv\dcc6770b-cd25-4ef2-b0df-a2e5b5ef0c34
      • HKEY_LOCAL_MACHINE\SOFTWARE\WinSock2\rsv\e5f08471-2083-4f1a-ab28-5212bce3aa47
      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WS2IFSL
      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WS2IFSL\0000
      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WS2IFSL\0000\Control
      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010
      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011
      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012
      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013
      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014
      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015
      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016
      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017
      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018
      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000019
      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000020
      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WS2IFSL\Security
      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WS2IFSL\Enum
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WS2IFSL
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WS2IFSL\0000
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WS2IFSL\0000\Control
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000019
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000020
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL\Security
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL\Enum
    The newly created registry values are detailed in the attached text file.

    I hope this post was of some help :p :D

    I'll look at the PHP file a little bit later.
     

    Attached Files:

  12. NAMOR

    NAMOR Registered Member

    Joined:
    May 19, 2004
    Posts:
    1,526
    Location:
    Arkham Asylum
    OT: Thanks for posting that Threat Expert site Firecat, didn't even know it was there. Handy place... :D
     
  13. bathisland

    bathisland Registered Member

    Joined:
    Jul 1, 2005
    Posts:
    85
    Am not bashing Nod32 as I have it installed on my system and I have always preferred it.

    But I am hearing more and more cases like this and I am wondering if I made the right decision. I think I need to switch to KAV. What is happening with Nod32? :'(
     
  14. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    That's why you shouldn't rely on site rating tools. However, Link Scanner flagged that website as malicious
    All AVs miss malware samples every day. Don't forget that this is the ESET support forum, so we should expect more people complaining than being thankful :)
     
  15. The_Duality

    The_Duality Registered Member

    Joined:
    Apr 3, 2007
    Posts:
    276
    Location:
    Liverpool, UK
    Indeed, a lesson learnt there! I am still learning... :oops:

    Running an online scan now with Kaspersky Online Scanner, just to clean out anything that got in. Also thinking of cashing in on that 30% off "switch to kaspersky" offer :doubt:

    Not sure what to do now! :p
     
  16. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    You're in the right way ;)
    Regarding site rating tools, I've found that Link Scanner is the most accurate and/or the first to flag a compromised site which previously was rated as safe. According to this test, Trend Micro's Trend Protect is also better than SiteAdvisor (the oldest site rating tool).
    Still, you should make the final decision about visiting a site or not. Site rating tools rely heavily on blacklists (Link Scanner also has a engine which looks for exploits) and blacklists are always playing catch up with the bad guys.
    Browse inside a sandbox or a virtual machine :)
     
  17. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Do what you must. Try asking Eset for support (i.e. send the sample to them if you have it), if you are not satisfied, start a thread in the other AV forums for advice on which AV to switch to if you are planning to do that. :)

    In future, practice safe hex and do not visit unknown websites. :)

    BTW, the downloaded file by the demo.exe is detected by NOD32 as "probably a variant of Win32/Genetik trojan".
     
  18. The_Duality

    The_Duality Registered Member

    Joined:
    Apr 3, 2007
    Posts:
    276
    Location:
    Liverpool, UK
    Thankyou for the advice, very much appreciated! :)

    Im going to look into Trend Protect now, from what I read from the link you kindly posted, it seems like a worthwhile download! I shall also look into sandboxing as well. Interesting concept that i have been reading about for a while...

    Kaspersky web scanner is coming up clean for the moment. I only clicked on the .php link... stupidly i know... :blink: and the general concensus i have read here is that it was safe, (plus the java appplet NAMOR described never got time to load before i realised the error of my ways) so it may turn out okay :).

    Cheers for the advice Firecat, i dont have a sample (never touched the two links that were posted most recently), so i doubt asking ESET anything will do much. :p

    Ill just stick with NOD32, considering that it detects the demo.exe trojan of which you speak.

    Thanks again :)
     
  19. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    The demo.exe file itself is not detected, but the file downloaded by it named zupastik.exe is detected by NOD32. Just thought I'd make that clear. ~Snip~
     
    Last edited by a moderator: May 1, 2007
  20. ASpace

    ASpace Guest

    If you have that demo.exe submit it to ESET labs , pls . :thumb:
     
  21. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    I need to submit it to samples<at>eset.com, right?

    Do I need to include anything specific apart from a short description and the password of the archive?
     
  22. The_Duality

    The_Duality Registered Member

    Joined:
    Apr 3, 2007
    Posts:
    276
    Location:
    Liverpool, UK
    Ahhh i see! Well ill stick to NOD32 anyway. :p

    So does demo.exe just download zupastik.exe? Looking at the analysis you made of Demo.exe, it doesnt appear to be a virus itself, just the delivery mechanism for the trojan. I should have read that analysis properly ;)

    Do you think eset would add detection for such a file as demo.exe? Seeing as though it is only the downloader for the virus itself? and the fact that NOD32 detects the downloaded virus anyway?
     
  23. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Eset already detects a lot of Trojan Downloaders. This may not be in priority for them, but if they have the sample, they'll add it one day, maybe few weeks or few months later. So its best to send the sample to them. :)

    I'll send it by tomorrow (Feeling lazy at the moment). :)
     
  24. The_Duality

    The_Duality Registered Member

    Joined:
    Apr 3, 2007
    Posts:
    276
    Location:
    Liverpool, UK
    ahhh i understand. Well im happy as long as nod32 detects the trojan being downloaded. I agree that the downloaders are probably not their priority, especially if nod picks up the downloaded nasty bit.

    Thanks everyone for your answers and advice, and for putting up with my questions! :p

    I learnt a lot from this :)
     
  25. ASpace

    ASpace Guest

    You have never submitted file to AV vendor ? Never to ESET ? ? ?

    Just submit the file , link to this thread , short description ; if in a password-protected archive , the password also... and yes , samples @ eset . com :)
     
Thread Status:
Not open for further replies.