unknown_file_$PLUGINSDIR/DD_69.21.166.242_5112.exe not detected!

[polonus]

Only Norman to detect this malware. Maybe our good forum friend Pondus may know more about this detection. File is known as karen.exe and
VT has these scans on it: https://www.virustotal.com/nl/url/4df9c89e7718cc27e2daf0b290956febe8203e8a0115c34b88ddd49ef80c2a72/analysis/1389363098/
and
https://www.virustotal.com/nl/file/5471b6aeadcc6c5758f7bbd8207a97013a512a4cc09df1691a8e00dcd4df6bd1/analysis/1389363102/
urlquery flags it: http://urlquery.net/report.php?id=8775612
Comodo Web Inspector misses it completely: http://app.webinspector.com/public/reports/19374726

pol

[Pondus]

Maybe our good forum friend Pondus may know more about this detection.

File name:   Karen.exe.....  i was about say it is my wife.   

not that old.   First submission 2013-12-21 19:30:56 UTC ( 2 weeks, 5 days ago )
i am at the airport now, so i will check later today ... guess i have a reply from Norman tomorrow


possible FP

CopyrightCopyright © 2001-2011 Advantig. All rights reserved.
Publisher televere Systems
Product DualDesk
Original name CustomerModule_69.21.166.242_5112_Direct.exe
Internal name DualDesk
File version 20.4.8.0
Description DualDesk Customer Module
Comments For information and help visit: dualdesk.com

[TwinHeadedEagle]

Related to this

http://www.dualdesk.com/index.html

Probably FP

[polonus]

Thanks for the quick reactions folks,
Pondus, I am sorry to hear that "Young Karen" is a false positive   
This was/is what VW's safe virus viewer comes up with: http://support.clean-mx.de/clean-mx/view_virusescontent.php?url=http%3A%2F%2Fwww.televeresystems.com%2Fsupport-desk%2FKaren.exe
and the malware analysis report: http://camas.comodo.com/cgi-bin/submit?file=5471b6aeadcc6c5758f7bbd8207a97013a512a4cc09df1691a8e00dcd4df6bd1
see: http://www.averscanner.com/scan/9d/dd_69-21.166.242_5112.exe.shtml
So this is a Muldrop FP? -> http://www.drwebhk.com/en/virus_techinfo/Trojan.MulDrop4.48977.html
DrWeb's URL checker results:
hctp://www.televeresystems.com/support-desk/Karen.exe - archive NSIS
>htxp://www.televeresystems.com/support-desk/Karen.exe/script.bin - Ok
>htxp://www.televeresystems.com/support-desk/Karen.exe/_=9A=80\Splash.dll - Ok
>htxp://www.televeresystems.com/support-desk/Karen.exe/DD_69.21.166.242_5112.exe - archive NSIS
>>htxp://www.televeresystems.com/support-desk/Karen.exe/DD_69.21.166.242_5112.exe/script.bin - Ok
>>htxp://www.televeresystems.com/support-desk/Karen.exe/DD_69.21.166.242_5112.exe/_=99=80\nsisdt.dll - Ok
>>htxp://www.televeresystems.com/support-desk/Karen.exe/DD_69.21.166.242_5112.exe/_=9A=80\NSISdl.dll - Ok
>>htxp://www.televeresystems.com/support-desk/Karen.exe/DD_69.21.166.242_5112.exe/_=9A=80\dialogsEx.dll - Ok
>>htxp://www.televeresystems.com/support-desk/Karen.exe/DD_69.21.166.242_5112.exe/_=9A=80\nsExec.dll - Ok
>>htxp://www.televeresystems.com/support-desk/Karen.exe/DD_69.21.166.242_5112.exe/DualDesk.exe - Ok
>>htxp://www.televeresystems.com/support-desk/Karen.exe/DD_69.21.166.242_5112.exe/cad.exe - Ok
>>htxp://www.televeresystems.com/support-desk/Karen.exe/DD_69.21.166.242_5112.exe/ddUninst.exe - archive NSIS
>>>htxp://www.televeresystems.com/support-desk/Karen.exe/DD_69.21.166.242_5112.exe/ddUninst.exe/script.bin - Ok
>>>htxp://www.televeresystems.com/support-desk/Karen.exe/DD_69.21.166.242_5112.exe/ddUninst.exe/_=9A=80\nsExec.dll - Ok
>>htxp://www.televeresystems.com/support-desk/Karen.exe/DD_69.21.166.242_5112.exe/ddUninst.exe - Ok
>htxp://www.televeresystems.com/support-desk/Karen.exe/DD_69.21.166.242_5112.exe - Ok
>htxp://www.televeresystems.com/support-desk/Karen.exe/DD.txt - Ok
>htxp://www.televeresystems.com/support-desk/Karen.exe/Splash.bmp - Ok
>htxp://www.televeresystems.com/support-desk/Karen.exe/Logo.bmp - Ok
>htxp://www.televeresystems.com/support-desk/Karen.exe/Icon1.ico - Ok
>htxp://www.televeresystems.com/support-desk/Karen.exe/Icon2.ico - Ok
>htxp://www.televeresystems.com/support-desk/Karen.exe/Blank.bmp - Ok
>htxp://www.televeresystems.com/support-desk/Karen.exe/Ring.wav - Ok
>htxp://www.televeresystems.com/support-desk/Karen.exe/Alex.txt - Ok
>htxp://www.televeresystems.com/support-desk/Karen.exe/Barb.txt - Ok
>htxp://www.televeresystems.com/support-desk/Karen.exe/EricR.txt - Ok
>htxp://www.televeresystems.com/support-desk/Karen.exe/EricS.txt - Ok
>htxp://www.televeresystems.com/support-desk/Karen.exe/Jeff.txt - Ok
>htxp://www.televeresystems.com/support-desk/Karen.exe/Karen.txt - Ok
>htxp://www.televeresystems.com/support-desk/Karen.exe/Kyle.txt - Ok
>htxp://www.televeresystems.com/support-desk/Karen.exe/Rhea.txt - Ok
>htxp://www.televeresystems.com/support-desk/Karen.exe/Sam.txt - Ok
>htxp://www.televeresystems.com/support-desk/Karen.exe/Stacy.txt - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe - Ok

pol

[polonus]

The FP is because of an alert here -Injection Check

Suspicious Text before HTML

mzÿÿ¸////@øº´í!¸lí!this program cannot be run in dos mode.////$ïäsususurusué`usususu½////£xusu½£yusuluusurichsupelðkà^ô¸////@p@à0s´à p .textæ]^ ///`.rdata¢pb@@.data¬¯t@à.n////data@à.rsrc àx@@ájl$zóâl$jàj$zóâl$hl$jpâuìì svw}ñwnèa~ggff»f~ ¹°ãó«àè#ðçej?/////úyãâÿmó«uìjr¾ìyó«j¾¸////yó«ôèbüèwej3ÿx2ûeàeäeèeì}üë}øeüï#ááeøáneðql è\ࡶ r@}eøtrfn+eà;áráàneôbÿuôz#}üq/////±*è¶ãóèjóçç@ááèeøë5äànzq#}ü±*è¶ãóèjóçç@ááè?øfëd^/////¾ sæeèàãs¾pèàsumeð èvàu5¶är@vneøâ+eà;áráÿfîè°ÿeüé^////]àëc¾è,àu]äë%s¾°èàu]èëeè]ìeìeäeèeà]àeäÿuøfüpèﶸ/////r@møéÿuøôs豶¬r@øeðmø|jxáàs0ìèø|ièøñùãiëóãø}pfpìèaøë#//////áü~qïèáàw///

quote from Web Security Test.
This is a typical false positive on a NSIS installer - it became flagged in the past as Adware Punisher, AVG and Kaspersky and Sophos flagged this new installer as trojan and found out later it was a false positive, so I think Norman will soon fix this fale positive.
So when we see archive NSIS we have to blink twice before saying it is malcode 

Damian

[Pondus]

but there sloppy it department should uppgrade wordpress   

http://sitecheck.sucuri.net/results/www.televeresystems.com

[polonus]

That means, dear Pondus, that they are vulnerable amongst other things to clickjacking.
htxp://www.televeresystems.com/wordpress/wp-content/themes/elogix/
For code hick-ups and insecurity see: http://jsunpack.jeek.org/?report=f466bffd2353189a4b029d9b7d2d14ffa583291a
On the elogix theme, read on the insecurity of such themes - web-applications-security/   error: undefined function $
and problems with the Stylesheet etc.
pingback goes here: htxp://www.televeresystems.com/wordpress/xmlrpc.php
vulnerable to WP pingback vulnerability in version 3.5 and RCI exploit: http://www.securityfocus.com/bid/14088/exploit
-> credit references, see: http://www.securityfocus.com/bid/14088/references

pol

[Secondmineboy]

Norman is detecting it as Malware.AJISX now.

Avira is still analysing the file.

Malwr: https://malwr.com/analysis/NjEyYWFlZDQ0ZTMyNDZhMWJiOTA5YjY0MGFlMzk1NmM/

File is malicious.

[Secondmineboy]

File is detected by DeepScreen.

[Pondus]

Norman lab confirms, it was a False Positive