Author Topic: Why this malware is not flagged? - Hoax/MSIL.ArchSMS.gen  (Read 2627 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Why this malware is not flagged? - Hoax/MSIL.ArchSMS.gen
« on: November 17, 2011, 09:44:19 PM »
Hi forum friends,

See: http://www.virustotal.com/url-scan/report.html?id=a4039c8a4b19253f85c152e185159773-1321557539
File analysis: http://www.virustotal.com/url-scan/report.html?id=a4039c8a4b19253f85c152e185159773-1321557539

With DrWeb's url checker I get a decompression error scanning: Checking: -http://playertv11.ru/tvplayer11.exe
Engine version: 5.0.2.3300
Total virus-finding records: 2799758
File size: 1.87 MB
File MD5: 47f5fb93a6f8806cf98e0c0cf359fb51

-http://playertv11.ru/tvplayer11.exe - archive BZIP2
>-http://playertv11.ru/tvplayer11.exe/data000.tmp - decompression error!

Then going to a Phish tracker -http://www.jino.ru/css/_ and then to
 -undefined/an.yandex.ru/resource/r541.js with a called setTimeout with
Quote
function () {var K =
etc. script
Site found to be suspicious here: http://siteinspector.comodo.com/public/reports/639082
Also see: http://camas.comodo.com/cgi-bin/submit?file=44f58cfc5b967349b6828e18e5ad6aa56a031d1e807e43ba36680e598afe4c75
Also found suspicious here in 2 instances with Content-Type: application/octet-stream, see: http://urlquery.net/report.php?id=8866

Program:Win32/Pameseg.G is a detection for program installers that require the user to send SMS messages to a premium number to successfully install certain programs. Info according to  MS Malware Protection Center  malware encyclopedia

polonus
« Last Edit: November 17, 2011, 11:53:24 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: Why this malware is not flagged? - Hoax/MSIL.ArchSMS.gen
« Reply #1 on: November 18, 2011, 12:20:12 AM »
You're VT results link even for the file only shows the URL check not file analysis by 43 scanners.

I tried to get a copy but it gives site unknown, perhaps it has been taken down.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: Why this malware is not flagged? - Hoax/MSIL.ArchSMS.gen
« Reply #2 on: November 18, 2011, 12:30:43 AM »
It is live   ;)

jotti:     http://virusscan.jotti.org/en/scanresult/58fd0167807b4242ce179e8d5455507036cea60c
Virscan:   http://r.virscan.org/report/29d8813ee835b80019d7adfb79d41253.html

ThreatExpert
http://www.threatexpert.com/report.aspx?md5=ee79891afca4c6ea9b4e02f343cd8430


Malwarebytes detect it as - PUP.SmsPay


Avira lab
Quote
The file 'tvplayer11.exe' has been determined to be 'MALWARE'.Our analysts named the threat Joke/ArchSMS.eca.The term "JOKE/" denotes a Joke program that usually does not contain malicious code.Detection is added to our virus definition file (VDF) starting with version 7.11.17.220.

Norman lab
Quote
tvplayer11.exe : Processed - Hoax/ArchSMS.H

« Last Edit: November 18, 2011, 09:57:29 AM by Pondus »