Potentially damaging executable not detected?

[polonus]

See: https://www.virustotal.com/nl/url/1ea43df4fc28d4c2b5d52b90558095616c5c49f13e2ec681f71193918fd0ecc3/analysis/1388082510/
see: https://www.virustotal.com/nl/file/7ff472619079f9ac41f44889e969c5f9f9c2207eccf9c29ff87f52cc8919d8d4/analysis/1388082519/
and http://app.webinspector.com/public/tasks/16620954
What is out there? unknown_file_$INSTDIR/GreenDou.exe URL subjected to threat C2/Generic-A.
Nothing here: http://urlquery.net/report.php?id=8561896
But flags here: http://urlquery.net/report.php?id=8547992
Analysis see: http://anubis.iseclab.org/?action=result&task_id=1be84ba86c17f9e74b9d5344bfa163e06&format=html
For the download site, consider: http://www.scumware.org/report/213.242.77.71  and http://www.urlvoid.com/ip/113.107.42.55/

pol

[Secondmineboy]

Kaspersky is detecting it as UDS:Dangerous.Object.Multi.Generic.

Undetected by Avast.

[Pondus]

ThreatExpert   http://www.threatexpert.com/report.aspx?md5=825b710cc6da5e05c752bbab4b04c731

[Secondmineboy]

Malwr: https://malwr.com/analysis/YWVjZWRkODQyZWRmNGY3ZjhkMWNlYmMyNjA0NGZhOWI/

Very interesting result.

[Michael (alan1998)]

That homepage. I've seen it before.

also, Is this a a 0access rootkit?

[Secondmineboy]

I saw that webpage also before. Common with Adware and PUPs.

According to Virustotal this is an Generic Trojan.

After execution its downloading something in the background and BOTH files are running in memory then.

File is still being processed by Kaspersky Lab.

[polonus]

Hi Steven Winderlich, alan1998 and Pondus,

Maybe we have stumbled onto something suspicious here, time to forward to avast for detection results, I guess,
related to this down loader: http://camas.comodo.com/cgi-bin/submit?file=308a13460daa2e6cb624bf91d08391d2e2a457dee57f31f9ebd8d3e77b200fe8

Damian

[Secondmineboy]

I reported the file via quarantine to Avast Research Lab.

Will see how they do.

[polonus]

Hi Steven Winderlich,

The

sample_1.exe&ini=open.ini

makes it suspicious looking enough to qualify as malware.
See: Up(nil):   unknown_file_$INSTDIR/GreenDou.exe   APNIC   CN   abuse at gddc dot com dot cn   113.107.56.85    to 113.107.56.85   qiniudn dot com   htxp://vvdown.u.qiniudn.com/exe/0.exe?download/av2015-202-12554.exe -> http://support.clean-mx.de/clean-mx/viruses?id=17409280
-> https://www.virustotal.com/en/file/308a13460daa2e6cb624bf91d08391d2e2a457dee57f31f9ebd8d3e77b200fe8/analysis/
Generic Genome Downloader variant, there also missed by avast! 29 out of 47 detect 


polonus

[Secondmineboy]

Yep.

Cannot give a new VT scan cause file scanner is not working at the moment, URL Scan is working, also last analysis.

The Greendeu.exe file is loading and running a ton of dll files as you can see under behavioral analysis in Malwr.

[polonus]

Hi Steven Winderlich,

As far as I can establish it modifies registry settings to prevent anti-virus and firewall applications from functioning correctly.
A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment.
Good you guys responded to me initially reporting,

Damian

[Secondmineboy]

No problem.

Thats the only good thing we can do.

Everything else is Avasts job.

With an Mac you dont really need to bother about these threats, but there are also Mac threats out there.

[polonus]

It is a randomized download and this should also be considered: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Generic-A/detailed-analysis.aspx
The urlquery dot net report should flag this by an IDS alert,

polonus