Avast WEBforum

Other => Viruses and worms => Topic started by: anonim1979 on February 04, 2009, 05:23:39 AM

Title: Very suspicious file found.
Post by: anonim1979 on February 04, 2009, 05:23:39 AM

In 2 (differen exe) exe rar .sfx files to original files (repacked) were atached aditional (the same 85kb) .exe's

IEPGMO~1.EXE (size 85,504 bytes)
IJIPIH~1.EXE (size 85,504 bytes)

Adware/spyware/troyan

For now clean in all online test
( http://virusscan.jotti.org/ )

Atached below as .txt file

-- never ever add the samples into the attachments --

Title: Re: Very suspicious file found.
Post by: DavidR on February 04, 2009, 05:06:35 PM

VirusTotal provides mor scanners, 39 at the last count but you could try there.

VirusTotal - Multi engine on-line virus scanner (http://www.virustotal.com/) and report the findings here the URL in the Address bar of the VT results page.

There is another tool that is useful, Anubis: Analyzing Unknown Binaries (http://anubis.iseclab.org/?action=home)

Title: Re: Very suspicious file found.
Post by: anonim1979 on February 04, 2009, 05:34:07 PM

I run that file by accident yesterday (after making this thread) (missed one "up arrow" keystroke when moving in dir in Total Commander) so I'm REALLY interested now what that file does :(


To DavidR
Thanks, I checked both:

1st gave only one detection (of 39 scaners) + one suspition warning
http://www.virustotal.com/pl/analisis/613cd52c645ed6233ab1a5d544aea997

Quote

AhnLab-V3    5.0.0.2    2009.01.31    Win-Trojan/Downloader.85504.E

I would like to ask to help to analyse 2nd one:
(results of scan:)
http://anubis.iseclab.org/?action=result&task_id=193478223de967634f1882e57522913a1

Does this file/trojan hack and sends Active Directory passwords?

Quote

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Files Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\DOCUME~1\user\LOCALS~1\Temp\1956640_res.tmp ]
        File Name: [ PIPE\lsarpc ]
        File Name: [ PIPE\samr ]
        File Name: [ WMIDataDevice ]


[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    File System Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File: [ PIPE\lsarpc ], Control Code: [ 0x0011C017 ], 24 times
        File: [ PIPE\samr ], Control Code: [ 0x0011C017 ], 15 times

Title: Re: Very suspicious file found.
Post by: DavidR on February 04, 2009, 06:32:50 PM

Well I just looked at the summary and that was enough for me

Quote

Summary:
    - Performs File Modification and Destruction:
        The executable modifiesand destructs files which are not temporary.

    - Performs Registry Activities:
        The executable reads and modifies registry values. It also creates and
        monitors registry keys.

I'm not that familiar with the output so I can't say what it does exactly, but you should send/submit the files to avast and I would give the anubis URL in the info also.

You can also add the file to the User Files (File, Add) section of the avast chest  where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.

Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.

- To avoid waiting for the next auto update, right click the avast 'a' icon, select Updating, iAVS Update. During the update check you should notice the file being uploaded. Periodically scan the file from inside Chest, after VPS updates, when it is no longer detected you can restore the file/ to their original location/s.