Author Topic: New Virus/Trojan ? Avast doest pick this one up !! (neither does kaspersky hehe)  (Read 4994 times)

0 Members and 1 Guest are viewing this topic.

CyTG

  • Guest
By a rather impressive constructed scam, I was persuaded to download and execute this file

http://iwantsoft.ne1.net/

through this site

http://www.xcobot.tk/

Now the suposed "MacroEngine" does not do what its advertised to do.
It will install a "Macroengine.exe" wich upon unsuccessfull insalltion will be deleted through a, from the program, constructed batch program (im on winxp sp2 btw), so u need to back it up before deletion, or halt the install progress some other way(like a debugger) before it gets to that.
This i have verified by debugging the bastard program with olly.
Referenced text strings, besides the construction of the batch program, includes

"enjoi kerspasky"
"systm.exe"
"sysbm.bat"
"\w32_"

The first is pretty obvious! Gotta give thanks to the author for the dead giveaway, vanity truely is a sin. Accidently kaspersky av software dont install, it gets interrupted halfway through installation, aborted, go figure.
The 2,3,4 is files in the \winxp directory.

Now I go to debug this bastard w32_systm.exe

First thing i see, this is a delphi app ... windows native ? idontthinkso
Its a longer story, but it has hardcoded windows homes for xp, 2000 and nt4 as far as i can tell, aim messages, and operations for iexplorer.
This too contain segments of batch operations, like

"If exist sys*.ss del sys*.ss"

Now my XP home aint in c:\winxp, and ie is not my default browser.
Non the less, the behavior i observe now is that
1. firefox is autostarted when the pc is powered on
2. it will try to connect to a predestend site (somewhere in .no) on a specific port once a minute
3. the execution path to firefox(read through olly) is not c:\program files\mozilla.... as usual but rather c:\program~1\mozill~1\.... (something expected from delphi?)
4. memory footprint is small, like 6M, opposed to regular ~20m upon startup

There is no sign of these executables in the registry! (i suppose i should post a hijack log too, will do that in a followup)


Now i've attached to the suspect firefox process, and while there's things that might be suspicious, i cannot say for certain.

Here's how I THINK it could play out.
- Bastard process starts a firefox process, threadinjects it to do its bidding (thread injection however requires detailed knowledge of the structure of the code, that seems unlikely!!!!)
- Firefox program is comprimised, bastard code activated by other bastard process
- The first program (with the greeting to kaspersky) is a standard wrapper wich the delphi code is simply wrapped in.

I am tired right now, im sure im leaving stuff of my investegation out, ill look into the hijack thingie and return...

Suggestions so far ?

lee16

  • Guest
Im not an expert, but ill try to advise.

Seems like some kinde of bot, try running a spyware scanner such as Ad-Aware, mabey it will pick up where it is in your registry, and mabey an online virus scan, i can't find any info on it on the web.

If avast doesn't detect it, please send the file(s) in a passworded/incripted archive to virus@avast.com, please state why you think it should be added to the database, its name, where you got it from, the password to open the file(s), and anyother information you know about it.

If Firefox is comprimised by this program, mabey you should inform them about this aswell, they could inprove/update there browser to be able to handle this program mabey.

--lee
« Last Edit: November 22, 2004, 10:04:25 PM by lee16 »

Jlo

  • Guest
Hi CyTG,

Well I managed to download the file (Very slow server) and ran it through Jotti scanner and VirusTotal scanner. (Multi engine scanners)

None detected anything but did get the following message from Jotti Scanner

'MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.) '

I to have sent the file of to avast and will send it to KAV to. Will let you know what they say.

Kind Regards

Jlo

Jlo

  • Guest
Hi,

Just had a very quick response back from F-secure.

'Hello,

thanks for the sample.

It installs:

     winhost32.exe Infection: Backdoor.Win32.Banito.s

which is a backdoor program and I am sure you do not want to have it
on your system.'


I am sure avast will add detection soon as well. I have submitted the file to them as well.

Kind Regards

Jlo

CyTG

  • Guest
Thanks ... im running a few new scanners myself..

Jlo

  • Guest
Hi CyTG,

I have just run the file through Jotti scanner again http://virusscan.jotti.dhs.org/ this morning and KAV have added detection as http://virusscan.jotti.dhs.org/

I have also sent the file to avast,Symantec, F-secure (which share one of there engines with KAV), NAI, RAV, DR Web, Bitdefender, Panda etc so am sure more will add detection over the next days.

I think it is important to get this one added as it pretends to be a 'legit' tool. I know if it was a high spreding virus eg avast had received many samples then it would have been added in hours.

Good luck with the disinfection. I am not a programer but sure someone will be along shortly to give you adivce on how to get rid of it. Would be worth running a hyjack this program so one of the other members can see what the problem is.

Kind Regards

Jlo