rootkit not detection even after 20 days

[sasin44]

hi guys i started a new post for my batch of malware i have been cribing about for 3 weeks ..
infact i was so desperate that i even gave it to some other guys at the forum so that they could submmit it also..
 here are the sad but true results of a very small portion of the malware i hae.. i submmited to  virus total for analysis

this one made it to the top ten malware in the bit defender count down...
ROOTKIT THAT BACKLIGHT DETECTED..........
AhnLab-V3 2007.7.5.0 07.05.2007  no virus found
AntiVir 7.4.0.37 07.05.2007 TR/Dldr.DNSChanger.Gen
Authentium 4.93.8 07.04.2007 could be a corrupted executable file
Avast 4.7.997.0 07.04.2007  no virus found       
AVG 7.5.0.476 07.04.2007 Downloader.Agent.KQC
BitDefender 7.2 07.05.2007 Trojan.Peed.Gen
CAT-QuickHeal 9.00 07.04.2007 TrojanDownloader.Agent.uj
ClamAV devel-20070416 07.05.2007  no virus found
DrWeb 4.33 07.05.2007  no virus found
eSafe 7.0.15.0 07.04.2007 Win32.Agent.uj
eTrust-Vet 30.8.3765 07.05.2007 Win32/Alureon!generic
Ewido 4.0 07.05.2007  no virus found
FileAdvisor 1 07.05.2007  no virus found
Fortinet 2.91.0.0 07.05.2007 Agent.BC!tr.spy
F-Prot 4.3.2.48 07.04.2007 W32/new-malware!Maximus
F-Secure 6.70.13030.0 07.05.2007 Trojan-Downloader.Win32.Agent.uj
Ikarus T3.1.1.8 07.05.2007 Trojan-Downloader.Win32.Agent.uj
Kaspersky 4.0.2.24 07.05.2007 Trojan-Downloader.Win32.Agent.uj
McAfee 5067 07.04.2007 Spy-Agent.bc
Microsoft 1.2701 07.05.2007 Trojan:Win32/Alureon.A
NOD32v2 2379 07.04.2007 a variant of Win32/Small.FB
Norman 5.80.02 07.04.2007 W32/DNSChanger.CJL
Panda 9.0.0.4 07.05.2007 Trj/Ruins.MB
Sophos 4.19.0 06.28.2007 Mal/Behav-027
Sunbelt 2.2.907.0 07.04.2007 Bloodhound.Packed.7
Symantec 10 07.05.2007 Downloader
TheHacker 6.1.6.142 07.04.2007  no virus found
VBA32 3.12.0.2 07.05.2007 MalwareScope.Trojan.DnsChange.1
VirusBuster 4.3.23:9 07.04.2007 
Webwasher-Gateway 6.0.1 07.05.2007 Trojan.Dldr.DNSChanger.Gen

AVG FOUND THIS......
STATUS: FINISHEDComplete scanning result of "LiteIdolPeak.exe", received in VirusTotal at 07.05.2007, 10:38:11 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.7.5.0 07.05.2007  no virus found
AntiVir 7.4.0.37 07.05.2007 TR/Dldr.Swizzor.Gen
Authentium 4.93.8 07.04.2007  no virus found
Avast 4.7.997.0 07.04.2007  no virus found
AVG 7.5.0.476 07.04.2007 Generic5.AQC
BitDefender 7.2 07.05.2007 Trojan.FatObfus.Gen
CAT-QuickHeal 9.00 07.04.2007 (Suspicious) - DNAScan
ClamAV devel-20070416 07.05.2007 Trojan.Agent-5196
DrWeb 4.33 07.05.2007 Trojan.Swizzor
eSafe 7.0.15.0 07.04.2007 Win32.Obfuscated.en
eTrust-Vet 30.8.3765 07.05.2007  no virus found
Ewido 4.0 07.05.2007 Trojan.Obfuscated.en
FileAdvisor 1 07.05.2007  no virus found
Fortinet 2.91.0.0 07.05.2007 W32/Obfuscated.EN!tr
F-Prot 4.3.2.48 07.04.2007  no virus found
F-Secure 6.70.13030.0 07.05.2007 Trojan.Win32.Obfuscated.en
Ikarus T3.1.1.8 07.05.2007 Trojan.Win32.Obfuscated.en
Kaspersky 4.0.2.24 07.05.2007 Trojan.Win32.Obfuscated.en
McAfee 5067 07.04.2007  no virus found
Microsoft 1.2701 07.05.2007 Trojan:Win32/C2Lop.C
NOD32v2 2379 07.04.2007  no virus found
Norman 5.80.02 07.04.2007  no virus found
Panda 9.0.0.4 07.05.2007 Adware/Lop
Sophos 4.19.0 06.24.2007  no virus found
Sunbelt 2.2.907.0 07.04.2007  no virus found
Symantec 10 07.05.2007 Downloader.Lop
TheHacker 6.1.6.142 07.04.2007 Trojan/Obfuscated.en
VBA32 3.12.0.2 07.05.2007 MalwareScope.Trojan-Downloader.Obfuscated.2
VirusBuster 4.3.23:9 07.04.2007 Adware.Lop.Gen
Webwasher-Gateway 6.0.1 07.05.2007 Trojan.Dldr.Swizzor.Gen

RPCC.DLL infection it would be great if avast detects this
STATUS: FINISHEDComplete scanning result of "rpcc.dll", received in VirusTotal at 07.05.2007, 10:36:51 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.7.5.0 07.05.2007 Win-Trojan/Dlena.31232.L
AntiVir 7.4.0.37 07.05.2007 TR/Proxy.Dlena.CQ.4
Authentium 4.93.8 07.04.2007 W32/Trojan.AMZL
Avast 4.7.997.0 07.04.2007  no virus found
AVG 7.5.0.476 07.04.2007 Proxy.NJQ
BitDefender 7.2 07.05.2007 Worm.P2P.AB
CAT-QuickHeal 9.00 07.04.2007 TrojanProxy.Dlena.cq
ClamAV devel-20070416 07.05.2007 Trojan.Proxy-653
DrWeb 4.33 07.05.2007  no virus found
eSafe 7.0.15.0 07.04.2007  no virus found
eTrust-Vet 30.8.3765 07.05.2007  no virus found
Ewido 4.0 07.05.2007  no virus found
FileAdvisor 1 07.05.2007  no virus found
Fortinet 2.91.0.0 07.05.2007  no virus found
F-Prot 4.3.2.48 07.04.2007 W32/Trojan.AMZL
F-Secure 6.70.13030.0 07.05.2007  no virus found
Ikarus T3.1.1.8 07.05.2007  no virus found
Kaspersky 4.0.2.24 07.05.2007  no virus found
McAfee 5067 07.04.2007  no virus found
Microsoft 1.2701 07.05.2007  no virus found
NOD32v2 2379 07.04.2007 Win32/TrojanProxy.Dlena
Norman 5.80.02 07.04.2007  no virus found
Panda 9.0.0.4 07.05.2007  no virus found
Sophos 4.19.0 06.28.2007  no virus found
Sunbelt 2.2.907.0 07.04.2007 SpamTool.Win32.Agent.h
Symantec 10 07.05.2007 Trojan.Packed.9
TheHacker 6.1.6.142 07.04.2007 Trojan/Proxy.Dlena.cq
VBA32 3.12.0.2 07.05.2007  no virus found
VirusBuster 4.3.23:9 07.04.2007  no virus found
Webwasher-Gateway 6.0.1 07.05.2007 Trojan.Proxy.Dlena.CQ.4

this attacks mozilla users ..a matter of concern i think
STATUS: FINISHEDComplete scanning result of "Patch.exe", received in VirusTotal at 07.05.2007, 10:37:52 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.7.5.0 07.05.2007  no virus found
AntiVir 7.4.0.37 07.05.2007 BDS/Bifrose.NU
Authentium 4.93.8 07.04.2007  no virus found
Avast 4.7.997.0 07.04.2007  no virus found
AVG 7.5.0.476 07.04.2007 PSW.Ldpinch.JLP
BitDefender 7.2 07.05.2007  no virus found
CAT-QuickHeal 9.00 07.04.2007  no virus found
ClamAV devel-20070416 07.05.2007 Trojan.Pakes-248
DrWeb 4.33 07.05.2007  no virus found
eSafe 7.0.15.0 07.04.2007  no virus found
eTrust-Vet 30.8.3765 07.05.2007  no virus found
Ewido 4.0 07.05.2007  no virus found
FileAdvisor 1 07.05.2007  no virus found
Fortinet 2.91.0.0 07.05.2007  no virus found
F-Prot 4.3.2.48 07.04.2007  no virus found
F-Secure 6.70.13030.0 07.05.2007 PoisonIvy.gen15
Ikarus T3.1.1.8 07.05.2007 Backdoor.VB.EV
Kaspersky 4.0.2.24 07.05.2007  no virus found
McAfee 5067 07.04.2007  no virus found
Microsoft 1.2701 07.05.2007  no virus found
NOD32v2 2379 07.04.2007 Win32/Spy.Elife.F
Norman 5.80.02 07.04.2007 PoisonIvy.gen15
Panda 9.0.0.4 07.05.2007  no virus found
Sophos 4.19.0 06.24.2007  no virus found
Sunbelt 2.2.907.0 07.04.2007 VIPRE.Suspicious
Symantec 10 07.05.2007  no virus found
TheHacker 6.1.6.142 07.04.2007  no virus found
VBA32 3.12.0.2 07.05.2007  no virus found
VirusBuster 4.3.23:9 07.04.2007  no virus found

and these are just a portion of wats out there..i have many other not so widespread but equally
deadly malware which goes undetected by avast :'( :'( :'(
no one to wipe my comp's tears  :'( :'(

[Lisandro]

This is a symptom of a larger problem that remains unsolved.

I'm afraid you're fully right...
http://forum.avast.com/index.php?topic=29124
http://forum.avast.com/index.php?topic=29179
http://forum.avast.com/index.php?topic=29216

[sasin44]

well if AWIL cannot come up with good enough herustics then they should try a new concept called
"quick response"...
and my buddy gave me this unusual file for inspection ...i used avast event blocker to stop file from getting written but there were a sequrence of windows which i cant seem to make any sense of here are the screen shots...in order
and after this the system automatically restarts..

[sasin44]

and can some one translate this for me

[FreewheelinFrank]

and can some one translate this for me

"You ate sh*t. System restart coming." 

Turkish hackers. Charming. 

[sasin44]

damn!!!!
frigging morons......i feel stupid...so wat does the first screenshot mean..?
and do the other two means it tries to delete the windows folder?
damn i feel sooooooooooooooooooooooooooo stupid.
for a second there i thought u were swearing frank 

[mauserme]

Here's a quote from the nBinder web site

The primary disadvantage of common archives (.zip .rar .ace etc.) is that once files have been archived they loose their direct functionality, meaning they first have to be unpacked using the application used to compress them and the run. nBinder comes to fix this problem combining the advantages of archives with the direct functionality of the uncompressed files and many more other options like password protection and anti hacking protection for executables or complex commands that enhance functionality. Files compressed with nBinder are transformed into standalone executable files (.exe) that when executed they act the same as the packed files would if run uncompressed, maintaining their full direct functionality. For example a packed movie when run will open the movie into its default application, without the user having to decompress it first. You can use the files compressed (binded, protected) by nBinder without having nBinder or other application installed on the computer. You can later extract the packed files from the output file either by using nBinder or by running the output file with a certain command line.

The web site seems safe enough (well, either that or I just ate some too) but being able to run a compressed executable without needing to uncompress it could cause us some problems.


EDIT:

There's more:

Compress executables (or any other file type) without affecting their direct functionality, so you don't have to unpack them before run.
Transform any type of file into an executable without affecting their direct functionality.
Password protect any kind of file without the file losing its direct functionality.
Add more functionality to your application by biding it and adding complex commands to it both before and after execution.
Keep your applications\offline local sites\documents updated by downloading the latest files from the Internet each time the output is launched.
Compact applications by packing the executable files along with their dlls and other resource files.
Bind dlls and other resource files to your executable so you can distribute your application as a single (smaller, protected) executable.
Protect your application by binding it and selecting the self delete option so that a user can use your application (output) only once, the file deleting itself after one run.
Make an silent installer for your application that will be able to install your application and its needed files to a certain directory and run your application when the install process is complete. Protect your applications against reverse-engineering and other hacks.
Transform any format in an executable without affecting its direct functionality.
Convert an entire web site (along with pictures and other resources) into a single executable.
Password protect your executables or any other file Password protect your images, pictures, documents, projects, music ...etc. and at the same time compress them.
Compress and you picture gallery or your music gallery and transform it into a single executable file so you can carry it with you everywhere .
Hide files inside an application and have them silently extracted to a certain directory.
Change executables icons.
Compress any file without losing its direct functionality.

Seems like the perfect program for a malware writer.

[sasin44]

well i guess it is yet another area to explorer for malware coders...
i guess its not no malware friendly because the nBinder warns the user that the file could harm the system..
damn some things are better left unsaid/un-translated/un-clicked/un-downloaded
man this world is going to dogs..trust has vanished 

[mauserme]

Your first screen shot almost makes it look like a marketing sample.  A "try before you buy" sort of thing.  Did your friend download the file or did it appear by itself.

[FreewheelinFrank]

The nBinder tool sounds like something malware writers would use to try and make a piece of malware undetectable but still runable.

[sasin44]

that moron downloaded the file..i dont know its full functionality thought..cos i did not allow the program to write any thing on my hard disk..it attempted to write some stuff in a number of locations..
i'll send it to awil right away and we can be sure of no detection i another month at the least..

[mauserme]

This program (nBinder) is all over the free download sites.  Maybe your detections are not related.

[sasin44]

000754-4 no detection.. of my old malware guess the BATCH has not yet gone for analysis

and analysis of the nbinder from virus total is
AhnLab-V3 2007.7.7.0 07.06.2007  no virus found
AntiVir 7.4.0.39 07.06.2007 HEUR/Crypted
Authentium 4.93.8 07.07.2007 W32/Downloader2.AHZF
Avast 4.7.997.0 07.06.2007  no virus found
AVG 7.5.0.476 07.06.2007  no virus found
BitDefender 7.2 07.07.2007  no virus found
CAT-QuickHeal 9.00 07.06.2007  no virus found
ClamAV devel-20070416 07.06.2007 Trojan.Spy-4973
DrWeb 4.33 07.07.2007  no virus found
eSafe 7.0.15.0 07.06.2007 Suspicious Trojan/Worm
eTrust-Vet 30.8.3769 07.07.2007  no virus found
Ewido 4.0 07.07.2007  no virus found
FileAdvisor 1 07.07.2007  no virus found
Fortinet 2.91.0.0 07.07.2007  no virus found
F-Prot 4.3.2.48 07.06.2007 W32/Downloader2.AHZF
F-Secure 6.70.13260.0 07.06.2007 Possibly malicious
Ikarus T3.1.1.8 07.07.2007 Trojan-PWS.Win32.Agent.BU
Kaspersky 4.0.2.24 07.07.2007  no virus found
McAfee 5069 07.06.2007  no virus found
Microsoft 1.2704 07.07.2007  no virus found
NOD32v2 2383 07.06.2007  no virus found
Norman 5.80.02 07.06.2007  no virus found
Panda 9.0.0.4 07.07.2007  no virus found
Sophos 4.19.0 07.06.2007  no virus found
Sunbelt 2.2.907.0 07.07.2007  no virus found
Symantec 10 07.07.2007  no virus found
TheHacker 6.1.6.143 07.05.2007  no virus found
VBA32 3.12.0.2 07.07.2007  no virus found
VirusBuster 4.3.23:9 07.06.2007  no virus found
Webwasher-Gateway 6.0.1 07.07.2007 Heuristic.Crypted

jus wish that avast had heuristic

 

[Lisandro]

Guess the BATCH has not yet gone for analysis

Guess that you already send the file for analysis. It will help much more than waiting for VirusTotal sending it to Alwil.
Can you send the samples to virus@avast.com ?
The preferred way for submitting samples is e-mail (or sending them from Chest).

[mauserme]

Why don't you post a ComboFix and HJT log and we'll get this cleaned up.