Potential Malware!! :- MediaPluginInstall from game play labs is a spyware!!!

[Zyndstoff (aka Steven Gail)]

What do you want Avast to notice?

There's 38 scanners out of 40 that say it's clean.  

And one of the others is VIPRE... not known for good results anyway.

[Pondus]

@Zyndstoff  see the Vipre detection name

http://www.virustotal.com/file-scan/report.html?id=1d86690a7f0959533649b31898efa07b91d8a141bf468d39557a3ddb6b5a2018-1302798056

Then look on reply #24

[Zyndstoff (aka Steven Gail)]

@Zyndstoff  see the Vipre detection name

http://www.virustotal.com/file-scan/report.html?id=1d86690a7f0959533649b31898efa07b91d8a141bf468d39557a3ddb6b5a2018-1302798056

Then look on reply #24

I'm aware of that.
Didn't know you can distinguish malware by reading the EULA... most of every software would be malware in one way or the other if you take their respective EULA literally.

[Pondus]

Didn't know you can distinguish malware by reading the EULA

they did more then just read the EULA

Just looking at the file briefly will not tell you this information but more indepth research will

[Zyndstoff (aka Steven Gail)]

So, if that is so, then a new scan today, which is significantly later, should bring up 36 or more scanners showing positiv results?

[polonus]

Hi Pondus,

Two flags are more than one as searched the malware hash...
VirusTotal.com     2/40 (5%) detected malware

ThreatExpert.com   New/Nothing Found

Team-CYMRU.org     New/Nothing Found

Now lets use the common google search query "MediaPluginSetup.exe BHO.C" and what do we get...e.g.:
This report for WOT: http://www.mywot.com/en/forum/11086-fake-media-player-spreading-through-facebook

This with another added flag: http://virscan.org/report/36f7a8ba55a616e274915fa4a3e3c4b1.html
CP Secure finding: Troj.Downloader.W32.Aphex.020

So what you think?

polonus

[Pondus]

So, if that is so, then a new scan today, which is significantly later, should bring up 36 or more scanners showing positiv results?

Is it the exact same sample ?  same MD5 ?

[Zyndstoff (aka Steven Gail)]

So, if that is so, then a new scan today, which is significantly later, should bring up 36 or more scanners showing positiv results?

Is it the exact same sample ?  same MD5 ?

Sorry, I don't have that file. I would just like to see more scanners jumping on it.

[Pondus]

Sorry, I don't have that file. I would just like to see more scanners jumping on it.

Working on it   

[Zyndstoff (aka Steven Gail)]

Sorry, I don't have that file. I would just like to see more scanners jumping on it.

Working on it   

  waiting

[polonus]

Hi Pondus and Zyndstoff,

This adds to the suspicion: http://vscan.novirusthanks.org/analysis/20d3f7c94b5265c14d05554c50eb8fa1/bWVkaWFwbHVnaW5zZXR1cC1leGU=/

and jotti's: http://virusscan.jotti.org/en/scanresult/3eae48334dfd051c642d6e31beef4c7bdf26c62c

virustotal at three detections now and ThreatExpert reporting:
http://www.virustotal.com/file-scan/report.html?id=dccf714d5a272fe6e52db6dd26c5279cea46570b295f70b0a1d0e112a531b518-1302351204

http://www.threatexpert.com/report.aspx?md5=20d3f7c94b5265c14d05554c50eb8fa1

So it is coming like our friend Pondus predicted,

polonus

P.S. for the browser BHO PlugIn, see: http://www.google.nl/search?sourceid=chrome&ie=UTF-8&q=0xD7DC7DFE31FA56BBF486E947D89C68F3

D

[Pondus]

yep seems to be the same type, but different MD5...
looks as they do the same as with FakeAV....new MD5 on every sample...
so i was hoping @nounzein should respond so i could get his sample to be 100% sure


here is one more, and again new MD5
http://www.virustotal.com/file-scan/report.html?id=1ffb8c2870f5913928817d64ae361f0a26c20085b64b8336709aa48ee8ce5690-1302812934


Malwarebytes detect as - Spyware.GamePlayLabs

[polonus]

Hi Pondus,

So the morphing goes on like in "neverending story", good we have you to track them down (and some others as well),
ThreatExpert does not have that one yet. Question is this an older one:
htxp://d.gameplaylabs.com/ce9237be57719933386c8a88b67bf7a5/install.xml?pid=4
poor rep scan: http://www.mywot.com/en/scorecard/d.gameplaylabs.com

Scanned without results here: http://wepawet.iseclab.org/domain.php?hash=a8445223b1364b1b8a9a9bc4f7180d42&type=js

Check the MD5 hashes at virus check, I think not reported yet,

polonus

[Pondus]

Hi Pondus,

So the morphing goes on like in "neverending story", good we have you to track them down (and some others as well),
ThreatExpert does not have that one yet,

polonus

I will upload the sample to them 

[DraKuL]

I'd like to say that Malwarebytes' definitions are spot on! The way they make users to download and install that plugin, and the fact that you dont actually need it to play videos on facebook is very suspicious.. (As shown in the link polonus posted)

Hope Avast adds it to their definitions as it would help so many users..