Author Topic: Is this a real virus or just a PUP?  (Read 4029 times)

Offline polonus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 20148
  • Gender: Male
  • malware fighter
    • Personal Message (Offline)
Is this a real virus or just a PUP?
« on: April 09, 2011, 02:45:25 PM »
Heuristic flag for WS.Reputation.1 detected in one instance here: wXw.castlesoft.net/download/dictionary.exe
See: http://wepawet.iseclab.org/view.php?hash=746c128fd7755ece0d6ed5ba6f73aa7d&t=1302358672&type=js
qualified as suspicious - Anubis report: http://anubis.iseclab.org/?action=result&task_id=16aa33fc273baf1a4b14b1a9c8991d48f&format=html
Again there it says no threats could be detected,
see: htxp://jsunpack.jeek.org/dec/go?report=49e390080829d6895dc0ca93cb385b1629d21b97
(for the security aware, visit sandboxed and with script blocking enabled)
The file is a malware known as "CaM.Malware.Win32.PEx.Delphi.1008594529". - 40191 source: nick=CRDF
Date   Domain   IP   CC   ASN   Autonomous System Name   Click Md5 for ThreatExpert Report
2011-04-01   wXw.castlesoft.net/download/dictionary.exe   217dot66dot226dot15   PS   15975   Palnet Communications (Hadara Tech) AS Number   8980ce008fd864b9ed1bbdbc5445f86b (source malc0de.com)
See:
http://www.virustotal.com/file-scan/report.html?id=130027af469aaf26aeaa7fc96e660e12272852e8e22318a9e585a388ae6b284b-1302060166
Heuristic detection, malware or PUP (riskware)? Googling for "CaM.Malware.Win32.PEx.Delphi" more leads to qualifications as riskware, PUP, remote admin tool etc. So avast could have detected this as Win32:PUP-gen

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 20148
  • Gender: Male
  • malware fighter
    • Personal Message (Offline)
Re: Is this a real virus or just a PUP?
« Reply #1 on: April 09, 2011, 03:16:12 PM »
Well folks, it seems that this flag as WS.Reputation is based on users questioning the webreputation of the site in question or what is on there, similar site: htxp://ircinfo.ru/download/config-generator.exe
See: http://www.virustotal.com/latest-report.html?resource=6ad86721b23f727b16ec759a1f83efee
See: http://www.virustotal.com/file-scan/report.html?id=19ee18fd145a31a52343329d37b0ce79868dac65be3dbc14019dbddaafe3216a-1301760851
But this is not a site with riskware, but found to be dangerous here:
http://www.urlvoid.com/scan/ircinfo.ru
a site with many instances of IRC.BOT on it
hxtp://ircinfo.ru/download/pirc2_2.exe (Trojan.Zlob)

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Left123

  • There Is No Patch For Human Stupidity.
  • avast! Evangelist
  • Advanced Poster
  • ***
  • Posts: 1052
  • Gender: Male
  • Proud Community Member&Helper.
    • Personal Message (Offline)
Re: Is this a real virus or just a PUP?
« Reply #2 on: April 09, 2011, 04:28:05 PM »
Zlob detected,i wouldn't classify zlob as PUP.I am just happy that Zlob is no longer under development.
Regards
AMD Athlon(tm) X2 Dual-Core Processor 4200+ - 2.20 GHz,3,00 GB RAM -
Browser:Mozilla Firefox +WOT - SoftWare:CCleaner - Windows 7 32 bit
No Anti-Virus

Offline Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21731
  • Gender: Male
    • Personal Message (Offline)
Re: Is this a real virus or just a PUP?
« Reply #3 on: April 09, 2011, 07:45:30 PM »
Zlob detected,i wouldn't classify zlob as PUP.I am just happy that Zlob is no longer under development.
Regards
hmmmm.....not detected here...

URLVoid - 6/10
http://vscan.novirusthanks.org/analysis/64b1d3c83339a0bd2ad7d68c1ca94ed2/cGlyYzItMi1leGU=/

VirusTotal seems to be down today.....and everyone is trying to use jotti and virscan....so they are also down   ;D   or is it only me   ::)

« Last Edit: April 09, 2011, 07:49:08 PM by Pondus »
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline polonus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 20148
  • Gender: Male
  • malware fighter
    • Personal Message (Offline)
Re: Is this a real virus or just a PUP?
« Reply #4 on: April 09, 2011, 08:11:00 PM »
Hi Pondus,

Internal service errors due to heavy loads, too busy there, probably. They are back at the moment, dictionairy.exe as malware is a worm, see: http://www.prevx.com/filenames/X3230575065581185308-X1/DICTIONARY.EXE.html
and if malware making it's return from the year 2007...recent find reported here: http://forums.malwarebytes.org/index.php?showtopic=80195

polonus
« Last Edit: April 09, 2011, 08:57:54 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline SHAGGIE

  • Newbie
  • *
  • Posts: 8
    • Personal Message (Offline)
Re: Is this a real virus or just a PUP?
« Reply #5 on: April 10, 2011, 07:39:09 PM »
...
config-generator.exe
pirc2_2.exe (Trojan.Zlob)

This is in response to what polonus posted because for some very very strange reason I have something going on with my Avast. It is detecting very few infections, as well as the above files were not detected. I need to fix or ditch so if someone would be willing to assist me in this challenge; that would be awesome.

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29024
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: Is this a real virus or just a PUP?
« Reply #6 on: April 10, 2011, 07:54:11 PM »
Hi Shaggie - what is the exact problem you have ?

Offline polonus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 20148
  • Gender: Male
  • malware fighter
    • Personal Message (Offline)
Re: Is this a real virus or just a PUP?
« Reply #7 on: April 10, 2011, 07:56:24 PM »
Hi SHAGGIE,

Follow up essexboy's instructions and let us see if you really had a malcode infection or what else could be the matter,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now