Author Topic: opachki trojan  (Read 9589 times)

0 Members and 1 Guest are viewing this topic.

Offline nanajana

  • Sr. Member
  • ****
  • Posts: 375
  • Health is Wealth
opachki trojan
« on: March 29, 2010, 05:20:38 PM »
I have a question in regards to "opachki trojan".  It was detected on my computer by Spybot but not Avast, I have Avast Program Version 5.0.462 and always, always update, so how come Avast missed this?  Also I run Avast screensaver but I am noticing that it isn't running from time to time and I have to press control, alt, delete to get to my desktop.  I get the message that it is initializing.  I really don't know how this works and so I don't know what this means.

Thanks,
nanajana
I love this forum, with all its extremely knowledgeable personnel!

Jtaylor83

  • Guest
Re: opachki trojan
« Reply #1 on: March 29, 2010, 05:30:10 PM »
Here's an old blog entry on this trojan.

And this.

Trojan:Win32/Opachki.A (Microsoft)
Trojan.Opachki (Symantec)
« Last Edit: March 29, 2010, 05:35:52 PM by Jtaylor83 »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37614
  • Not a avast user
Re: opachki trojan
« Reply #2 on: March 29, 2010, 05:35:30 PM »
why did you install Spybot when you have avast, don't you trust avast ?
I am asking since you seem surprised that avast missed something ?......... :o


No security program have 100% detection, if they did the virus problem would disappear
and here is a program that is much better then spybot

Malwarebytes Antimalware http://filehippo.com/download_malwarebytes_anti_malware/
after install click UPDATE and run quick scan, click on REMOVE SELECTED to quarantine anything found

Offline nanajana

  • Sr. Member
  • ****
  • Posts: 375
  • Health is Wealth
Re: opachki trojan
« Reply #3 on: March 29, 2010, 05:57:32 PM »
Hi Pondus,

Thanks for reply, I guess the best answer is what you said, and I quote No security program have 100% detection

nanajana
I love this forum, with all its extremely knowledgeable personnel!

Offline nanajana

  • Sr. Member
  • ****
  • Posts: 375
  • Health is Wealth
Re: opachki trojan
« Reply #4 on: March 29, 2010, 06:04:53 PM »
Hi jTaylor83,

Thanks for reply, I had read both of those entries that you refer me too, that is why I was surprised Avast didn't pick it up.

nanajana
I love this forum, with all its extremely knowledgeable personnel!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89336
  • No support PMs thanks
Re: opachki trojan
« Reply #5 on: March 29, 2010, 06:26:10 PM »
Well since you give no details on the detection by S&D, like file name and location found, I can't comment on the detection in relation to avast, etc.

What I can say is that you should confirm the detection or otherwise:
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the S&D quarantine, so you would have to temporarily extract it.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.5.6116 (build 24.5.9153.762) UI 1.0.808/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline nanajana

  • Sr. Member
  • ****
  • Posts: 375
  • Health is Wealth
Re: opachki trojan
« Reply #6 on: March 29, 2010, 10:57:24 PM »
I don't want to place this back on my computer, so I'll go with nothing is 100%.  I did also run Malwarebytes as suggested above and it showed no infections.

Cheers,
nanajana
I love this forum, with all its extremely knowledgeable personnel!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89336
  • No support PMs thanks
Re: opachki trojan
« Reply #7 on: March 29, 2010, 11:14:01 PM »
You could give is the information about the detection at least ?

Since this is the goal of this piece of malware:
Quote
Opachki uses a dropper to infect users' machines, loading a DLL file. It then goes through a complex routine that involves partially decrypting various strings in memory and then deleting the strings as soon as it's finished with them.

But Opachki's main goal is to hijack Web links and redirect victims to a third-party site where a JavaScript file is loaded onto the machine, again redirecting the machine to another server, according to an analysis by SANS.

Have you noticed any of this redirection happening, if not and this detection is on what is an old file then the likelihood of it being a false positive are higher.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.5.6116 (build 24.5.9153.762) UI 1.0.808/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline nanajana

  • Sr. Member
  • ****
  • Posts: 375
  • Health is Wealth
Re: opachki trojan
« Reply #8 on: March 30, 2010, 03:17:31 AM »
Hi DavidR,

In all honesty I haven't noticed being redirected which I'm assuming I would notice.  Anyway this is what I have, not sure if this what you are looking for or not but this is what I get from SpyBot - SB$9E90BA5A - auto run settings,
HKEY_LOCAL_MACHINE\Software\Microsoft\Current Version\Run

nanajana
I love this forum, with all its extremely knowledgeable personnel!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89336
  • No support PMs thanks
Re: opachki trojan
« Reply #9 on: March 30, 2010, 02:17:28 PM »
Well if it is only reporting what is a registry entry without any associated detection on the file, then this is effectively an inert registry entry. Unfortunately there doesn't appear to be a file name and location for that run command.

If there is a run command in the registry I would expect a corresponding detection for wherever the actual file should be.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.5.6116 (build 24.5.9153.762) UI 1.0.808/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

arbitrageur

  • Guest
Re: opachki trojan
« Reply #10 on: May 10, 2010, 05:54:12 PM »
Well since you give no details on the detection by S&D, like file name and location found, I can't comment on the detection in relation to avast, etc.

What I can say is that you should confirm the detection or otherwise:
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the S&D quarantine, so you would have to temporarily extract it.

I got the Opachki trojan also, and I know how and where I got it. I ran the suspect file through virustotal and that shows avast is among the 75% of virus scanners that missed it:

http://www.virustotal.com/analisis/ff0121bd683940f0e518920bab900762d9e48fed9353c0813a40dabae8bce5e6-1267772134

Here is the URL that I download the infected file from, which says the file has been checked by three virus scanners and found to be clean:

http://www.download3k.com/Network-tools/Network-monitoring/Download-Cyber-Bandwidth-Monitor.html

I tried to contact them but they've deleted their e-mail from their contact information page.

Spybot S&D said it found and removed the Opachki.ru trojan after I installed that file, but it only removed part of it, I still have to do more cleanup, or re-install windows, preferably not the latter. It was identified as a registry entry, here's the screenshot of Spybot S&D:


http://freepicninja.com/view.php?picture=00066900

But the main reason for making this post is to give you more information about this so you can get it added to the detection capabilities of Avast. I'm using the free home version 4.8 of Avast.

Edited to add spybot S&D screenshot link.
« Last Edit: May 10, 2010, 06:04:09 PM by arbitrageur »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37614
  • Not a avast user
Re: opachki trojan
« Reply #11 on: May 10, 2010, 06:22:50 PM »
Is is now in avast and Malwarebytes inbox ..... ;)

arbitrageur

  • Guest
Re: opachki trojan
« Reply #12 on: May 10, 2010, 06:55:42 PM »
If by that you mean that Avast has the information I provided in their inbox and will review what they might be able to do to improve the Avast detection capabilities, then, I thank you!

I ran the Malwarebytes version 1.46 scan to see if it might be able to clean up what Spybot S&D left behind. It did find some things with names like on the virustotal report: trojan.agent so that's probably the stuff from the opachki trojan that Spybot wasn't able to remove. Malwarebytes also said some items could not be removed, but I won't know how much was removed until I reboot and re-run the malwarebytes scan. I also found a site with some manual cleanup hints, I may have to edit the registry manually.

But if Avast can be upgraded to help others keep from getting this, that would be great!

Cheers.