Not detected or sandboxed

[Secondmineboy]

The file that is available at this link is not sandboxed or detected by avast!.   http://fileham.com/ad/setup/exad016.exe

Virus Total Scan:  hxxps://www.virustotal.com/de/file/b930594a81444fbffb4c75b310bc96998bbe018289f3935bb41e51f164c76966/analysis/1361821195/

This is definitely Adware. There is no reputation warning.

[essexboy]

I am in the process of running it on my VM

I received this warning

[essexboy]

This is the install screen

[DavidR]

@ Steven Winderlich
Please 'modify' your post change the URL from http to hXXp, to break the link and avoid accidental exposure to suspect malware, thanks.

I think part of this problem is that virustotal can't replicate all of the real-time avast functions like the behavior shield as in essexboy's post...

[essexboy]

O4 - HKLM..\Run: [FileHamBrowser] C:\Program Files\Fileham.com\FileHamBrowser\ÆÄÀÏÇÔŽ»ö±â.exe menu File not found
C:\Documents and Settings\All Users\Start Menu\Programs\ÆÄÀÏÇÔ
C:\Program Files\FileHam.com

These are the elements installed
I am going to reboot to see what happens next

[polonus]

Hi Steven Winderlich,

Make that link non-click-through with hxtp. This is unknown_file_FileHamBrowser/BrowserUninstall.ex-.
See: https://www.virustotal.com/nb/file/349220b2be2684675b81d1d9953f8eea12b38e49138d0c43ad5d8c1baafc8d44/analysis/
Avast may flag this upon running after download as riskware or PUP.
See: http://www.threatexpert.com/report.aspx?md5=c7774f488d6b0d587a94823de0ce9896
A lot of it has been closed: http://support.clean-mx.com/clean-mx/viruses.php?domain=fileham.com&sort=inetnum%20ASC
Closed 2013-02-16 23:14:29  after being 3676.7 hrs of activity...
See: http://anubis.iseclab.org/?action=result&task_id=1c911c60fa1aa8c142ddbac118b7153e0&format=html
Firekeeper alert for this Trojan.Agent./Gen-Banker
=== Triggered rule ===
alert (msg:"The address you tried to access points to a Malware. Please visit http://www.malwarepatrol.net for more information"; url_content:"htxp://fileham.com/"; reference:url,www.malwarepatrol.net; fid:340704; rev:20130225172726;)

=== Request URL ===
htxp://fileham.com/ad/setup/exad016.exe


polonus

[essexboy]

It installs another browser, and does not appear to hijack IE or FF as I can see so far

[essexboy]

It has an uninstall entry and uninstalls relatively cleanly

I feel this may just be another browser, that in this case is tailored towards Korean users

[polonus]

Hi essexboy,

Also consider this: http://google.com/safebrowsing/diagnostic?site=fileham.com/
And this: http://windowfin.com/bbs/board.php?bo_table=windowfin&wr_id=31410
and here: http://rightsecurity.blogspot.nl/2012/01/blog-post.html
But as I downloaded it with Malzilla and scanned with SAS (I just skimmed/scanned and never ran the executable), it detected Trojan,Agent/Gen-Banker, and even asked me to do a reboot to remove any further traces of it. There must be a generic detection pattern that both triggered SAS and my particular  firekeeper IDS  (with malwarepatrol latests installed),

polonus

[essexboy]

I played around with it and nothing untoward happened apart from the fact that to run it you need to use the Korean language pack, so I guess no one who does not speak Korean will use it

Edit: I ran OTL ,AdwCleaner and Combofix on completion all clean apart from a folder remnant

[polonus]

Hi essexboy,

Trust your expertise in analyzing the download status. Again here I would play completely safe and classify it as riskware for the time being.
By the way urlquery dot net scan IDS flags an alert: http://urlquery.net/report.php?id=1123533

Damian

[essexboy]

Yep would concur, running some remaining tests to be 100%

[polonus]

From another download link scanned I get: https://www.virustotal.com/nb/url/78eceba99b91021a29d23673d3daffffb9a07c6f2698cfcab47b77a44d6f42cb/analysis/1361829120/ and https://www.virustotal.com/nb/file/b930594a81444fbffb4c75b310bc96998bbe018289f3935bb41e51f164c76966/analysis/
Rather consitent results.
This is alos strange on the initial download link that Steven Winderlich provided: http://vurldissect.co.uk/default.asp?url=http%3A%2F%2Ffileham.com%2F&btnvURL=Dissect&selUAStr=1&selServer=1&ref= (vurldissect scans scans are being IP-monitored against abuse)

Page Title:      No HTML title tags found
Server Response:    200 [ OK ]
Server Type:    Apache
Server IP:    115.71.7.14
115.71.7.15
115.71.7.16
115.71.7.17
115.71.7.11
115.71.7.12
115.71.7.13
IP PTR:    IP does not appear to have a PTR record
IP does not appear to have a PTR record
IP does not appear to have a PTR record
IP does not appear to have a PTR record
IP does not appear to have a PTR record
IP does not appear to have a PTR record
IP does not appear to have a PTR record
Links found?:    0
Scripts found?:    4
iFrames found?:    0
MD5:    49471e6d5bba1b2e268ba4a9dd86abb0
Dissected:    This URL has been dissected 1 times
Last Dissected:    2/25/2013 10:01:30 PM
Link to this query:    http://vurldissect.co.uk/?url=XXXXXX

Flagged here: http://www.siteadvisor.com/sites/115.71.7.14

polonus

[essexboy]

Well I went on a clicking frenzy and nothing happened .. All tools report clear

[Secondmineboy]

I have no response from Behavior Shield. And its right there in Programs list in Control Panel. And i have no Installation screen.

Comodo Instant: http://camas.comodo.com/cgi-bin/submit?file=b930594a81444fbffb4c75b310bc96998bbe018289f3935bb41e51f164c76966

Comodo File Intelligence: http://file-intelligence.comodo.com/windows-process-virus-malware/exe/exad016

Comodo File Vredict: http://v.comodo.com/Result.html?sha1=fc68a8bda37fbb73007e65de91be25d5509560ae&&query=0&&filename=exad016.exe

Threat Expert: http://www.threatexpert.com/report.aspx?md5=c7774f488d6b0d587a94823de0ce9896