Avast WEBforum
Other => Viruses and worms => Topic started by: polonus on November 21, 2011, 10:17:08 PM
-
Hi forum friends,
See: http://www.virustotal.com/url-scan/report.html?id=27c11b5c1e39686d113239ed2495796e-1321904977
and: http://www.virustotal.com/file-scan/report.html?id=a7ccffe77c53722796d29e29b1d5b78576f57d385b656b0b62eafcc3a68f311a-1321908585
Anubis analysis: http://anubis.iseclab.org/?action=result&task_id=166d29bce3097efd4b991885708dc3
This is TR/Cycbot.OS.1 -http://nanitos99132.co.cc/w.php?f=155&e=5 packed by FLY-CODE
Is this a generic detection of the packer used or malcoded about.exe?
Here nothing is being detected: http://vscan.urlvoid.com/analysis/62d3725ab6a3b6a479efa453acc43176/YWJvdXQtZXhl/
polonus
-
Hi forum friends,
The final answer came from here: http://amada.abuse.ch/?search=nanitos99132.co.cc
Verdict Gbot, Trojan Fake-AV
But MD5 hash of the trojan has changed in the mean time: 358e5bf8168f49f29f3849a098da41f2
one of many Malware.Win32.PEx.Delphi variants:
earlier detection: http://threatcenter.crdf.fr/?More&ID=53128&D=CRDF.Malware.Win32.PEx.Delphi.9216665173
polonus
-
what we find at that url is this
http://virusscan.jotti.org/en/scanresult/1fb2ebb1ef476d20bd71512ad411f05fb72921dc
There are lots of these out there and the file name is usually readme.exe / calc.exe / contacts.exe / about.exe
found some earlier today
http://virusscan.jotti.org/en/scanresult/6325e6a5a7228cd2dfbc13c78c04be2902502102
http://virusscan.jotti.org/en/scanresult/ca2640c19ec8abae7f2eaee13fb21a52a96fd729
http://virusscan.jotti.org/en/scanresult/385cb2431662cb6b6d4b54abcdf882ec81a846fb
http://virusscan.jotti.org/en/scanresult/d1aa8b616c580fb697efcc5d7d3a51f184c85a03
http://virusscan.jotti.org/en/scanresult/a35c9b5b768c7f7588237c5516a34a6645fee19a
Malwarebytes detect them as - Malware.Packer
-
Hi forum friends,
See: http://www.virustotal.com/url-scan/report.html?id=27c11b5c1e39686d113239ed2495796e-1321904977
and: http://www.virustotal.com/file-scan/report.html?id=a7ccffe77c53722796d29e29b1d5b78576f57d385b656b0b62eafcc3a68f311a-1321908585
Anubis analysis: http://anubis.iseclab.org/?action=result&task_id=166d29bce3097efd4b991885708dc3
This is TR/Cycbot.OS.1 -http://nanitos99132.co.cc/w.php?f=155&e=5 packed by FLY-CODE
Is this a generic detection of the packer used or malcoded about.exe?
Here nothing is being detected: http://vscan.urlvoid.com/analysis/62d3725ab6a3b6a479efa453acc43176/YWJvdXQtZXhl/
polonus
packed by FLY-CODE - c 80% chance it's malicious, so developers say DrWeb.
Your request has been processed by an automatic system. This threat is known to our experts. Their entry in the Dr.Web virus database already exists.
Threat: BackDoor.Gbot.1589
http://vms.drweb.com/virus/?i=1591672
-
@Dim@rik,
Thanks for confirming that so quickly and extensively at the hand of the packer used
for this MS-DOS executable MD5 hash e4aaa768f18614cf21a167eb5d9c4750
To proof DrWeb gets them is here for another variant at another site:
Checking: -http://fdg45e.nl.ai/w.php?f=19
Engine version: 5.0.2.3300
Total virus-finding records: 2813715
File size: 279.50 KB
File MD5: f47f7bac078494261dbc349215b646de
-http://fdg45e.nl.ai/w.php?f=19 infected with BackDoor.Gbot.1589
There is no detection here of other scanners here for instance - calc-exe: http://vscan.urlvoid.com/analysis/33e605d75e3499d023c11728761d26b5/Y2FsYy1leGU=/
@Pondus
That should mean that the site should be blacklisted as google does here
http://www.google.com/safebrowsing/diagnostic?site=http%3A//nanitos99132.co.cc/w.php%3Ff%3D155%26e%3D5
While Norton safe web has not even tested the site, sucuri comes up with: "site blacklisted, malware" (according to above mentioned unmasked parasites report that is, malware not identified and not specified, obvious with all the various malware excutable variants of that specific malware being spread from there continously,
polonus
-
Hi Pondus,
Nice piece of big chunk malcode - see JS eval - of a site now taken down:
-http://urlquery.net/report.php?id=6699
polonus