Avast does not detect TR/Dldr.Agent.uur.2

[polonus]

See: http://zulu.zscaler.com/submission/show/a9be11de7f98f96b0963152cc1453b24-1344951358
See: https://www.virustotal.com/file/09402c2230605db072d3fad621afbb1cdcbb6c798ef61e8808a53a9a7b5766dc/analysis/

Reported to virus AT avast dot com

[polonus]

Hi forum friends,

Sparktrust has it listed: http://security.sparktrust.com/infected-websites-for-july-22nd-2012/
Interesting link: http://security.sparktrust.com/malware-entries/

pol

[Pondus]

Not detected by SuperAntiSpyware   

Malwarebytes detect as Worm.Agent   

[polonus]

Hi Pondus,

Thanks for checking this one out, but there is also more interesting info on the packers used.
VT lists:
TrID
UPX compressed Win32 Executable (39.5%)
Win32 EXE Yoda's Crypter (34.3%)
Win32 Executable Generic (11.0%)
Win32 Dynamic Link Library (generic) (9.8%)
Generic Win/DOS Executable (2.5%)
PEiD packer identifier
UPX 2.93 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
DrWeb finds:

Checking: htxp://gjgt.sk/%7Efuller/dotakeys1.3/autoupdate.exe?fakeParam=3D3D%26%26amp%2F%26%2F%2F/
Engine version: 7.0.3.7130
Total virus-finding records: 3086527
File size: 209.84 KB
File MD5: e22b03decb36b26ee2c7b83becf02ec3

htxp://gjgt.sk/%7Efuller/dotakeys1.3/autoupdate.exe?fakeParam=3D3D%26%26amp%2F%26%2F%2F/ packed by UPX
>htxp://gjgt.sk/%7Efuller/dotakeys1.3/autoupdate.exe?fakeParam=3D3D%26%26amp%2F%26%2F%2F/ - archive AUTOIT
>>htxp://gjgt.sk/%7Efuller/dotakeys1.3/autoupdate.exe?fakeParam=3D3D%26%26amp%2F%26%2F%2F//_ahk\warpath\dotakeys1.3\pokusy\upd\update_checking.gif - Ok
>>htxp://gjgt.sk/%7Efuller/dotakeys1.3/autoupdate.exe?fakeParam=3D3D%26%26amp%2F%26%2F%2F//_ahk\warpath\dotakeys1.3\pokusy\upd\update_downloading.gif - Ok (Nebezpečné pokusy)
>>htxp://gjgt.sk/%7Efuller/dotakeys1.3/autoupdate.exe?fakeParam=3D3D%26%26amp%2F%26%2F%2F//_ahk\warpath\dotakeys1.3\pokusy\upd\update_available.gif - Ok (Nebezpečné pokusy)
>>htxp://gjgt.sk/%7Efuller/dotakeys1.3/autoupdate.exe?fakeParam=3D3D%26%26amp%2F%26%2F%2F//_ahk\warpath\dotakeys1.3\pokusy\upd\update_notfound.gif - Ok (Nebezpečné pokusy)
>>htxp://gjgt.sk/%7Efuller/dotakeys1.3/autoupdate.exe?fakeParam=3D3D%26%26amp%2F%26%2F%2F//_ahk\warpath\dotakeys1.3\pokusy\upd\line.gif - Ok
>>htxp://gjgt.sk/%7Efuller/dotakeys1.3/autoupdate.exe?fakeParam=3D3D%26%26amp%2F%26%2F%2F//DOCUME~1\Fucko\LOCALS~1\Temp\ahk1E7.tmp - Ok (hidden files an folders!)
>htxp://gjgt.sk/%7Efuller/dotakeys1.3/autoupdate.exe?fakeParam=3D3D%26%26amp%2F%26%2F%2F/ - Ok

compare the encoding heuristics to those given here: http://www.malwareblacklist.com/searchClearingHouse.php?search=soft.youxi123.com/download/comsc/setup_7.exe?

DotaKeys, the program that allows you to remap keys in Warcraft 3 map DotA:Allstars # see: http://www.mywot.com/en/scorecard/gjgt.sk?utm_source=addon&utm_content=popup-donuts    url also flagged by Bitdefender's TrafficLight as unsafe...

Above you see the update files haven't been found - fakeParam ddbeug parameter etc...

polonus

[Pondus]

htxp://gjgt.sk/%7Efuller/dotakeys1.3/autoupdate.exe?fakeParam=3D3D%26%26amp%2F%26%2F%2F//DOCUME~1\Fucko\LOCALS~1\Temp\ahk1E7.tmp

not detected
https://www.virustotal.com/file/09402c2230605db072d3fad621afbb1cdcbb6c798ef61e8808a53a9a7b5766dc/analysis/1344983914/


sendt avast lab   

[polonus]

Hi Pondus,

Thank you very much for checking and reporting. Very attentive of you  (hidden files and folders gave away the clue apparently), but the additional scanning produced this detection...Well let us hope avast adds this to detection soon,

polonus