Author Topic: opachki trojan (Read 9589 times)

nanajana · « **on:** March 29, 2010, 05:20:38 PM »

I have a question in regards to "opachki trojan". It was detected on my computer by Spybot but not Avast, I have Avast Program Version 5.0.462 and always, always update, so how come Avast missed this? Also I run Avast screensaver but I am noticing that it isn't running from time to time and I have to press control, alt, delete to get to my desktop. I get the message that it is initializing. I really don't know how this works and so I don't know what this means.

Thanks,
nanajana

Jtaylor83 · « **Reply #1 on:** March 29, 2010, 05:30:10 PM »

Here's an old blog entry on this trojan.

And this.

Trojan:Win32/Opachki.A (Microsoft)
Trojan.Opachki (Symantec)

Pondus · « **Reply #2 on:** March 29, 2010, 05:35:30 PM »

why did you install Spybot when you have avast, don't you trust avast ?
I am asking since you seem surprised that avast missed something ?.........

No security program have 100% detection, if they did the virus problem would disappear
and here is a program that is much better then spybot

Malwarebytes Antimalware http://filehippo.com/download_malwarebytes_anti_malware/
after install click UPDATE and run quick scan, click on REMOVE SELECTED to quarantine anything found

nanajana · « **Reply #3 on:** March 29, 2010, 05:57:32 PM »

Hi Pondus,

Thanks for reply, I guess the best answer is what you said, and I quote No security program have 100% detection.

nanajana

nanajana · « **Reply #4 on:** March 29, 2010, 06:04:53 PM »

Hi jTaylor83,

Thanks for reply, I had read both of those entries that you refer me too, that is why I was surprised Avast didn't pick it up.

nanajana

DavidR · « **Reply #5 on:** March 29, 2010, 06:26:10 PM »

Well since you give no details on the detection by S&D, like file name and location found, I can't comment on the detection in relation to avast, etc.

What I can say is that you should confirm the detection or otherwise:
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the S&D quarantine, so you would have to temporarily extract it.

nanajana · « **Reply #6 on:** March 29, 2010, 10:57:24 PM »

I don't want to place this back on my computer, so I'll go with nothing is 100%. I did also run Malwarebytes as suggested above and it showed no infections.

Cheers,
nanajana

DavidR · « **Reply #7 on:** March 29, 2010, 11:14:01 PM »

You could give is the information about the detection at least ?

Since this is the goal of this piece of malware:

Quote

Opachki uses a dropper to infect users' machines, loading a DLL file. It then goes through a complex routine that involves partially decrypting various strings in memory and then deleting the strings as soon as it's finished with them.

But Opachki's main goal is to hijack Web links and redirect victims to a third-party site where a JavaScript file is loaded onto the machine, again redirecting the machine to another server, according to an analysis by SANS.

Have you noticed any of this redirection happening, if not and this detection is on what is an old file then the likelihood of it being a false positive are higher.

nanajana · « **Reply #8 on:** March 30, 2010, 03:17:31 AM »

Hi DavidR,

In all honesty I haven't noticed being redirected which I'm assuming I would notice. Anyway this is what I have, not sure if this what you are looking for or not but this is what I get from SpyBot - SB$9E90BA5A - auto run settings,
HKEY_LOCAL_MACHINE\Software\Microsoft\Current Version\Run

nanajana

DavidR · « **Reply #9 on:** March 30, 2010, 02:17:28 PM »

Well if it is only reporting what is a registry entry without any associated detection on the file, then this is effectively an inert registry entry. Unfortunately there doesn't appear to be a file name and location for that run command.

If there is a run command in the registry I would expect a corresponding detection for wherever the actual file should be.

arbitrageur · « **Reply #10 on:** May 10, 2010, 05:54:12 PM »

Quote from: DavidR on March 29, 2010, 06:26:10 PM

Well since you give no details on the detection by S&D, like file name and location found, I can't comment on the detection in relation to avast, etc.

What I can say is that you should confirm the detection or otherwise:
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the S&D quarantine, so you would have to temporarily extract it.

I got the Opachki trojan also, and I know how and where I got it. I ran the suspect file through virustotal and that shows avast is among the 75% of virus scanners that missed it:

http://www.virustotal.com/analisis/ff0121bd683940f0e518920bab900762d9e48fed9353c0813a40dabae8bce5e6-1267772134

Here is the URL that I download the infected file from, which says the file has been checked by three virus scanners and found to be clean:

http://www.download3k.com/Network-tools/Network-monitoring/Download-Cyber-Bandwidth-Monitor.html

I tried to contact them but they've deleted their e-mail from their contact information page.

Spybot S&D said it found and removed the Opachki.ru trojan after I installed that file, but it only removed part of it, I still have to do more cleanup, or re-install windows, preferably not the latter. It was identified as a registry entry, here's the screenshot of Spybot S&D:

http://freepicninja.com/view.php?picture=00066900

But the main reason for making this post is to give you more information about this so you can get it added to the detection capabilities of Avast. I'm using the free home version 4.8 of Avast.

Edited to add spybot S&D screenshot link.

Pondus · « **Reply #11 on:** May 10, 2010, 06:22:50 PM »

Is is now in avast and Malwarebytes inbox .....

arbitrageur · « **Reply #12 on:** May 10, 2010, 06:55:42 PM »

If by that you mean that Avast has the information I provided in their inbox and will review what they might be able to do to improve the Avast detection capabilities, then, I thank you!

I ran the Malwarebytes version 1.46 scan to see if it might be able to clean up what Spybot S&D left behind. It did find some things with names like on the virustotal report: trojan.agent so that's probably the stuff from the opachki trojan that Spybot wasn't able to remove. Malwarebytes also said some items could not be removed, but I won't know how much was removed until I reboot and re-run the malwarebytes scan. I also found a site with some manual cleanup hints, I may have to edit the registry manually.

But if Avast can be upgraded to help others keep from getting this, that would be great!

Cheers.

Author Topic: opachki trojan (Read 9589 times)

nanajana

opachki trojan

Jtaylor83

Re: opachki trojan

Pondus

Re: opachki trojan

nanajana

Re: opachki trojan

nanajana

Re: opachki trojan

DavidR

Re: opachki trojan

nanajana

Re: opachki trojan

DavidR

Re: opachki trojan

nanajana

Re: opachki trojan

DavidR

Re: opachki trojan

arbitrageur

Re: opachki trojan

Pondus

Re: opachki trojan

arbitrageur

Re: opachki trojan