Author Topic: Real malware PAK_Generic.001 or just a false positive..  (Read 6549 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Real malware PAK_Generic.001 or just a false positive..
« on: December 07, 2011, 07:10:59 PM »
See what we have here: unknown_file_$INSTDIR/SkyMonk.exe infected with PAK_Generic.001
See where it resides: http://www.virustotal.com/url-scan/report.html?id=2dc1aa59754d1414e08b910b75d2b130-1323276410
See the file scan results: http://www.virustotal.com/file-scan/report.html?id=0ca983e14180413f2173d7653a716e1bec144cd384ecd77560c8d55ba385f554-1323280198
Found to be suspicious here:
http://siteinspector.comodo.com/public/reports/754269
See: http://r.virscan.org/b42b1172ffe8f5047c4cb46a41671455
Here the scan was given clean:
Checking: -http://letitbit.net/skymonk_25436578_91.exe
Engine version: 5.0.2.3300
Total virus-finding records: 2892364
File size: 3.56 MB
File MD5: 50023ad4b9fcd92ec3432575b084cefa

-http://letitbit.net/skymonk_25436578_91.exe - archive NSIS
>-http://letitbit.net/skymonk_25436578_91.exe/script.bin - Ok
>-http://letitbit.net/skymonk_25436578_91.exe/___\modern-header.bmp - Ok
>-http://letitbit.net/skymonk_25436578_91.exe/___\InstallOptions.dll - Ok
>-http://letitbit.net/skymonk_25436578_91.exe/State - Ok
>-http://letitbit.net/skymonk_25436578_91.exe/SkyMonk.exe packed by UPX
>>-http://letitbit.net/skymonk_25436578_91.exe/SkyMonk.exe - Ok
>-http://letitbit.net/skymonk_25436578_91.exe/update.exe packed by UPX
>>-http://letitbit.net/skymonk_25436578_91.exe/update.exe - Ok
>-http://letitbit.net/skymonk_25436578_91.exe/filter.dll packed by UPX
>>-http://letitbit.net/skymonk_25436578_91.exe/filter.dll - Ok
>-http://letitbit.net/skymonk_25436578_91.exe/english.loc packed by UPX
>>-http://letitbit.net/skymonk_25436578_91.exe/english.loc - Ok
>-http://letitbit.net/skymonk_25436578_91.exe/russian.loc packed by UPX
>>-http://letitbit.net/skymonk_25436578_91.exe/russian.loc - Ok
>-http://letitbit.net/skymonk_25436578_91.exe/skymonk.dat - Ok
>-http://letitbit.net/skymonk_25436578_91.exe/marker.exe packed by UPX
>>-http://letitbit.net/skymonk_25436578_91.exe/marker.exe - Ok
>-http://letitbit.net/skymonk_25436578_91.exe/MailRuSputnik_rfrletitbit2_s_mpcln9514_lite.exe - Ok
>-http://letitbit.net/skymonk_25436578_91.exe/___\md5dll.dll packed by UPX
>>-http://letitbit.net/skymonk_25436578_91.exe/___\md5dll.dll - Ok
>-http://letitbit.net/skymonk_25436578_91.exe/___\InetLoad.dll - Ok
>-http://letitbit.net/skymonk_25436578_91.exe/___\UserInfo.dll - Ok
>-http://letitbit.net/skymonk_25436578_91.exe/___\System.dll - Ok
>-http://letitbit.net/skymonk_25436578_91.exe/___\endownload.ini - Ok
>-http://letitbit.net/skymonk_25436578_91.exe/___\rudownload.ini - Ok
>-http://letitbit.net/skymonk_25436578_91.exe/___\ensetup.ini - Ok
>-http://letitbit.net/skymonk_25436578_91.exe/___\rusetup.ini - Ok
-http://letitbit.net/skymonk_25436578_91.exe - Ok 
Is that so, really?
See:
http://vscan.urlvoid.com/file/50023ad4b9fcd92ec3432575b084cefa/c2t5bW9uay0yNTQzNjU3OC05MS1leGU=/

polonus

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Real malware PAK_Generic.001 or just a false positive..
« Reply #1 on: December 07, 2011, 10:45:57 PM »
Hi forum friends,

Always good to go back on your tracks and re-evaluate.
Polonus is getting older folks, :o
Here it was previously found to be clean in an earlier version some time ago, re: http://forum.avast.com/index.php?topic=88089.0

But according to this report:  http://isthisfilesafe.net/md5/A22641A2A15CE6BA3AAB04774DD652F5_details.aspx
there is spyware like activity and trojan downloader activity...
See also analysis: http://xml.ssdsandbox.net/view/50023ad4b9fcd92ec3432575b084cefa
because of
1.- C:\DOCUME~1\Dave\LOCALS~1\Temp\nsaD.tmp
see explanation: http://www.prevx.com/filenames/X841050630301398688-X1/NSAD.TMP.html
2. - nsvB.tmp is found with generic PUP finds,
3. - nsaD.tmp\UserInfo.dll denotes a GEN PWS
4. - \modern-header.bmp. for security risk - downloader
5. - mutex  {60EC43DF-7CB2-42d4-9873-7904458AA629} file disassembler mutex

Virus alerts:
CAT-QuickHeal: (Suspicious) - DNAScan
McAfee: New Win32.g4
TrendMicro-HouseCall: PAK_Generic.001
TrendMicro: PAK_Generic.001
Sophos: Sus/Behav-200
Finally we find:
6. - ----Class Name (CicMarshalWndClass) Window Name (CicMarshalWndIGB)
this characteristic for trojan like activity,

polonus
« Last Edit: December 07, 2011, 10:48:31 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!