Author Topic: 1.ex-, a generic trojan detection not detected by avast (Read 2768 times)

polonus · « **on:** December 03, 2011, 10:30:07 PM »

Hi forum friends,

See: http://www.virustotal.com/url-scan/report.html?id=0fa131edd1dcdf89b93bbb4f6fbb6a4e-1322930372
and the additional file scan:
http://www.virustotal.com/file-scan/report.html?id=19bc66610a719563c48ba0159b8b2268212a1d9b1bc1d3fd358b5ab8d31852c9-1322933995
See: http://anubis.iseclab.org/?action=result&task_id=158d2b7cfd226e094f1ecefc3f0c43fc5
see: http://vscan.urlvoid.com/file/8abc7bdfe58ce297a92506221c1f20fc/MS1leGU=/

polonus

P.S. An earlier variant with the name 1.exe from that site avast detected as: Win32:FakeAlert-BNK [Trj]
see: http://www.virustotal.com/latest-report.html?resource=18f3f93ce3bf474b09d42d9802ebf776

D

Asyn · « **Reply #1 on:** December 03, 2011, 10:46:43 PM »

Report    2011-12-03 21:42:41 (GMT 1)
Website    solarelectricinstaller.com
Domain Hash    8827f41357ad51abc94f7a90c12e1d01
IP Address    50.22.91.2 [SCAN]
IP Hostname    taro.websitewelcome.com
IP Country    -- (--)
AS Number    36351
AS Name    SOFTLAYER - SoftLayer Technologies Inc.
Detections    10 / 23 (43 %)
Status    DANGEROUS

http://amada.abuse.ch/?search=solarelectricinstaller.com
http://malc0de.com/database/index.php?search=solarelectricinstaller.com
http://www.malwaredomainlist.com/mdl.php?search=solarelectricinstaller.com
http://www.mywot.com/en/scorecard/solarelectricinstaller.com
http://www.malwareblacklist.com/searchClearingHouse.php?search=solarelectricinstaller.com

Report    2011-12-03 22:38:54 (GMT 1)
IP Address    50.22.91.2
IP Hostname    taro.websitewelcome.com
IP Country    --
AS Number    N/A
AS Name    N/A
Detections    5 / 26 (19 %)
Status    DANGEROUS

http://cbl.abuseat.org/lookup.cgi?ip=50.22.91.2
http://www.malwaredomainlist.com/mdl.php?search=50.22.91.2
http://www.mywot.com/en/scorecard/50.22.91.2
http://www.spamhaus.org/query/bl?ip=50.22.91.2

Web server details
Scan for: hxxp://solarelectricinstaller.com/Gallery-Images/1.exe
Hostname: solarelectricinstaller.com
IP address: 50.22.91.2

System Details:
Running on: Apache
System info: mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635

Blacklist status
Domain blacklisted on the Opera browser (via AVG): solarelectricinstaller.com - reference

Sucuri
web site:    hxxp://solarelectricinstaller.com/Gallery-Images/1.exe
status:    Site blacklisted, malware not identified
web trust:     Site blacklisted.

Security report (Site blacklisted):
error     Blacklisted:    Yes

spg SCOTT · « **Reply #2 on:** December 03, 2011, 10:50:18 PM »

avast blocks it via the network shield. (oddliy, while it alerted on the malzilla attempt at getting it, it didn't stop it...)

Sent to avast.

polonus · « **Reply #3 on:** December 03, 2011, 11:00:41 PM »

Hi spg SCOTT,

Thanks for giving the actual shield protection status and thanks for sending this unknown executable to virus AT avast dot com,

That site has been spreading malware via names like sultan.ex- (dead), face.ex- (dead), x.ex-, sp.ex-, dd.ex-, malware like Trojan.Generic.KDV.433454, Trojan:Win32/Comame, TR/Danmec.L, DDOS/Dofoil.A.5, W32/FakeAV.OZ!tr (all live), shield protection against this site is vital,

polonus

Asyn · « **Reply #4 on:** December 03, 2011, 11:04:54 PM »

Quote from: polonus on December 03, 2011, 11:00:41 PM

...shield protection against this site is vital,

+1

Author Topic: 1.ex-, a generic trojan detection not detected by avast (Read 2768 times)

polonus

1.ex-, a generic trojan detection not detected by avast

Asyn

Re: 1.ex-, a generic trojan detection not detected by avast

spg SCOTT

Re: 1.ex-, a generic trojan detection not detected by avast

polonus

Re: 1.ex-, a generic trojan detection not detected by avast

Asyn

Re: 1.ex-, a generic trojan detection not detected by avast