Undetected virus

[pranaysharma94]

http://www.virustotal.com/analisis/38c0d2ea97513bffc74b97351a59216a
Avast was unable to catch this one.....

[DavidR]

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help, plus the VT results link and undetected malware in the subject.
 
Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already there) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.
 
Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.

[Omid Farhang]

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help, plus the VT results link and undetected malware in the subject.
 
Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already there) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.
 
Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.

Thanks for the info

[DavidR]

You're welcome.

[pranaysharma94]

Actually its a keygen..... you know that xp and other av programs are not fond of keygens.... so it might not actually be a virus

[polonus]

Hi Pranay,

We treated this malcode here: http://forum.avast.com/index.php?topic=37513.0
Was yours also related to BBOX Trial Client DLL : http://www.processlibrary.com/directory/files/vboxs430/  obviously this threat was covered by a Packer which were usually used by hacker

System Changes

These are general defaults for typical path variables. (Although they may differ, these examples are common.):
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files

The following registry elements have been created:

# HKEY_CURRENT_USER\_reg\

    * shell = "c:\windows\system32\rundll32.exe" "c:\windows\system32
      \shell32.dll",control_rundll "c:\docume~1\admini~1\locals~1\temp
      \dat15.tmp"

# HKEY_LOCAL_MACHINE\software\classes\clsid\{e25c29ab-12b9-4523-a53c-324b5fba648c}\inprocserver32\

    * (default) = c:\docume~1\admini~1\locals~1\temp\dat15.tmp
    * threadingmodel = apartment

The following registry elements have been changed:

# HKEY_CURRENT_USER\sessioninformation\

    * programcount = 2

# HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\desktop\

    * mrulist = [binary data]
    * rxmru = [binary data]

# HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\desktop\

    * mrulist = [binary data]
    * rxmru = [binary data]
    * sysfile = c:\documents and settings\administrator\local settings\temp
      \2.exe

The following registry elements have been deleted:

# HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\desktop\

    * sysfile = c:\documents and settings\administrator\local settings\temp
      \2.exe

Symptoms
Symptoms -

This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.

Considerations there may be variants,

     polonus

[pranaysharma94]

Hi Pranay,

We treated this malcode here: http://forum.avast.com/index.php?topic=37513.0
Was yours also related to BBOX Trial Client DLL : http://www.processlibrary.com/directory/files/vboxs430/  obviously this threat was covered by a Packer which were usually used by hacker

System Changes

These are general defaults for typical path variables. (Although they may differ, these examples are common.):
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files

The following registry elements have been created:

# HKEY_CURRENT_USER\_reg\

    * shell = "c:\windows\system32\rundll32.exe" "c:\windows\system32
      \shell32.dll",control_rundll "c:\docume~1\admini~1\locals~1\temp
      \dat15.tmp"

# HKEY_LOCAL_MACHINE\software\classes\clsid\{e25c29ab-12b9-4523-a53c-324b5fba648c}\inprocserver32\

    * (default) = c:\docume~1\admini~1\locals~1\temp\dat15.tmp
    * threadingmodel = apartment

The following registry elements have been changed:

# HKEY_CURRENT_USER\sessioninformation\

    * programcount = 2

# HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\desktop\

    * mrulist = [binary data]
    * rxmru = [binary data]

# HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\desktop\

    * mrulist = [binary data]
    * rxmru = [binary data]
    * sysfile = c:\documents and settings\administrator\local settings\temp
      \2.exe

The following registry elements have been deleted:

# HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\desktop\

    * sysfile = c:\documents and settings\administrator\local settings\temp
      \2.exe

Symptoms
Symptoms -

This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.

Considerations there may be variants,

     polonus

hmmmm actually i scanned my registry myself(manually) and found out that none of the changes above have taken place......

[polonus]

Hi Pranay,

I do not doubt your words, as this info was the official info on the malware for which you gave the names, as it was a generic name it might have been similarity in the packer used that made the flag come down for this one. There are more dogs to answer the same name when called. I just wanted to present the information as it was previously discussed in this here forum.
Thanks for reporting and the attention for it that was renewed.
The general motto here is: "Stay vigilant and trust nothing and no-one on the Internet, and stay away from things that look to good to be true, in more than one case they are not golden rimmed but come with some darker clouds attached, something we cal malcode!"

polonus

[pranaysharma94]

So.... is this a virus??