Author Topic: Very suspicious file found.  (Read 2808 times)

0 Members and 1 Guest are viewing this topic.

Offline anonim1979

  • Newbie
  • *
  • Posts: 2
Very suspicious file found.
« on: February 04, 2009, 05:23:39 AM »
In 2 (differen exe) exe rar .sfx files to original files (repacked) were atached aditional (the same 85kb) .exe's

IEPGMO~1.EXE (size 85,504 bytes)
IJIPIH~1.EXE (size 85,504 bytes)

Adware/spyware/troyan

For now clean in all online test
( http://virusscan.jotti.org/ )

Atached below as .txt file

-- never ever add the samples into the attachments --
« Last Edit: February 04, 2009, 11:18:31 AM by Maxx_original »

Offline DavidR

  • Avast Ɯberevangelist
  • Certainly Bot
  • *****
  • Posts: 81650
  • No support PMs thanks
Re: Very suspicious file found.
« Reply #1 on: February 04, 2009, 05:06:35 PM »
VirusTotal provides mor scanners, 39 at the last count but you could try there.

VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page.

There is another tool that is useful, Anubis: Analyzing Unknown Binaries
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 19.6.2383 (build: 19.6.4546.508)/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/

Offline anonim1979

  • Newbie
  • *
  • Posts: 2
Re: Very suspicious file found.
« Reply #2 on: February 04, 2009, 05:34:07 PM »
I run that file by accident yesterday (after making this thread) (missed one "up arrow" keystroke when moving in dir in Total Commander) so I'm REALLY interested now what that file does :(


To DavidR
Thanks, I checked both:

1st gave only one detection (of 39 scaners) + one suspition warning
http://www.virustotal.com/pl/analisis/613cd52c645ed6233ab1a5d544aea997
Quote
AhnLab-V3    5.0.0.2    2009.01.31    Win-Trojan/Downloader.85504.E

I would like to ask to help to analyse 2nd one:
(results of scan:)
http://anubis.iseclab.org/?action=result&task_id=193478223de967634f1882e57522913a1

Does this file/trojan hack and sends Active Directory passwords?

Quote
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Files Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\DOCUME~1\user\LOCALS~1\Temp\1956640_res.tmp ]
        File Name: [ PIPE\lsarpc ]
        File Name: [ PIPE\samr ]
        File Name: [ WMIDataDevice ]


[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    File System Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File: [ PIPE\lsarpc ], Control Code: [ 0x0011C017 ], 24 times
        File: [ PIPE\samr ], Control Code: [ 0x0011C017 ], 15 times

Offline DavidR

  • Avast Ɯberevangelist
  • Certainly Bot
  • *****
  • Posts: 81650
  • No support PMs thanks
Re: Very suspicious file found.
« Reply #3 on: February 04, 2009, 06:32:50 PM »
Well I just looked at the summary and that was enough for me

Quote
Summary:
    - Performs File Modification and Destruction:
        The executable modifiesand destructs files which are not temporary.

    - Performs Registry Activities:
        The executable reads and modifies registry values. It also creates and
        monitors registry keys.

I'm not that familiar with the output so I can't say what it does exactly, but you should send/submit the files to avast and I would give the anubis URL in the info also.

You can also add the file to the User Files (File, Add) section of the avast chest  where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.

Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.

- To avoid waiting for the next auto update, right click the avast 'a' icon, select Updating, iAVS Update. During the update check you should notice the file being uploaded. Periodically scan the file from inside Chest, after VPS updates, when it is no longer detected you can restore the file/ to their original location/s.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 19.6.2383 (build: 19.6.4546.508)/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/