flash worm ?

[wchris]

if you're not an avast professionnal please DO NOT DOWNLOAD THIS FILE.

since 3 days i get spam that trick me into downloading a file here http://www.users.qwest.net/~ lorddaven/Links/FlashPlayer10.0.45.2.exe

i did NOT install it

i guess it's a malware but avast does not detect it, and kaspersky online file scanner fails too.

it can't be a true file, there's no reason to trick me into downloading it if it's not a troyan.

Please Avast detect this, don't wait for competitors

i also think the web page hosting this was hacked and his author is unaware of the problem.

can you check this file ?

thank you

[Tarq57]

It looks as though it's an actual Adobe Flash player, the current version.
MBAM scans clean, as does Avast.
VirusTotal results 3/41, with Norman, K7, and Symantec identifying something suspicious.

It could easily be fake, it's not digitally signed.
I've uploaded it to Alwil for more checks.

[wchris]

It looks as though it's an actual Adobe Flash player, the current version.
MBAM scans clean, as does Avast.
VirusTotal results 3/41, with Norman, K7, and Symantec identifying something suspicious.

It could easily be fake, it's not digitally signed.
I've uploaded it to Alwil for more checks.

Ok thank you, i modified the link with a space after the ~ to avoid people downloading it

do you think you'll get feedback if they find a threat inside ? i would really like to know what 'gift' was included.

[Tarq57]

It's possible I'd get a reply, it has happened before, but I wouldn't expect one.
The most likely thing is that if it is detected as containing malware, it will be added to a definitions file in the future.

The only way to know if this happens is to periodically scan it. I'll do that from time to time with the copy of it I've placed in the chest; I've deleted the original.

I'm not enough of an expert to try running it myself, and have no test computer. It may be alright- quite likely is, but who knows? Maybe someone more expert will have a look.

The downloading of the file itself is harmless enough; what happens if it is run is the unknown.

For yourself, it's always best to get such programs from the home page (Adobe/Macromedia in this case) rather than responding to a third party request to install them.

[psw]

do you think you'll get feedback if they find a threat inside ? i would really like to know what 'gift' was included.

I have launched this exe on my VM. Obvious effect - substitutes TaskManager by his own recycle.exe located at C:\RECYCLER\S-1-5-21-...
So definitely this is a fake.

[polonus]

Hi psw,

See: http://www.prevx.com/filenames/X732823755612345244-X1/RECYCLE.EXE.html
Component Name: RECYCLE.EXE

Description of : Silent Watcher allows third parties to take over your computer with full access rights. It uses TVicHW32 5.0 support routines and structures to allow a hacker read/write access to the ports and hard drives and SvCom to employ NT networking services.

Recommendation for :
It is highly recommended that this application be removed. Non-removal of this application will leave you defenseless against attackers who can take control of your computer,

polonus

[wchris]

Hi psw,

See: http://www.prevx.com/filenames/X732823755612345244-X1/RECYCLE.EXE.html
Component Name: RECYCLE.EXE

Description of : Silent Watcher allows third parties to take over your computer with full access rights. It uses TVicHW32 5.0 support routines and structures to allow a hacker read/write access to the ports and hard drives and SvCom to employ NT networking services.

Recommendation for :
It is highly recommended that this application be removed. Non-removal of this application will leave you defenseless against attackers who can take control of your computer,

polonus

Thank you Polonus for the link.

i myself googled for "Silent Watcher" but did not get many hits.

woaw this "Silent watcher" is really an awfull thing, i'm sure getting rid of it once installed is a nightmare

[DavidR]

I hope you have learned a valuable lesson, don't click links (or open attachments) in unsolicited emails, no matter how legit they might appear.

For software updates always go to the source yourself rather than click a link provided for you.

If you downloaded the legit file to install flash player the file name wouldn't look anything like this with the multiple periods, FlashPlayer10.0.45.2.exe it would be something like this install_flash_player.exe (for firefox). When you hover over the file name it would show the Description, Company, Creation Date and version number; so there is no need for that version number to appear in the file name.

[wchris]

I hope you have learned a valuable lesson, don't click links (or open attachments) in unsolicited emails, no matter how legit they might appear.

I did NOT open it, i just wanted to know what's inside.

Also i use a web mail client, and there is no need to open attachement or click a link, there's an image in the mail that directly launches the link to download the file without doing anything. The user just watches his mail and is redirected to a page and prompted to download the file with standard message (execute/download/cancel) ... i said cancel ... but posted the link to the file here to know how evil it is.

i got three times the same spam this week so i felt attacked, and wanted to know my ennemy's weapon better.

i think the installer is also evil, not only the final recycle.exe, like polonus shows the installer does plenty of nasty things and should also be stopped by antivirus if possible.

thank you

[polonus]

Hi wchris,

This infection can be cleared using a program like MBAM. Download here:
http://www.malwarebytes.org/mbam-download.php

You could give a log after running it as an attached txt file,

polonus

[Pondus]

Norman is saying this detection (FlashPlayer10.0.45.2.exe) is real......no FP

[Tarq57]

I ran a routine MBAM scan today, and this was detected as "(Spyware.OnLineGames)" from within my recycle bin.
Still not detected by Avast.
Yet.

[bong2x]

spyware stay in your cookies that why you need anti spy ware avast is a resident police spyware is emigrant that you need emigration in your system(anti-spyware)
here something but i don't like to say to anyone
avast - resident police - enforce all data to maintain normal activities in your system
antimalware - catching rebellion on your system
antispyware - serve as emigration on your system
unlucker(not recommended to stupid) - human inter-phase for deleting some active element ( martial law)
* please don't make this reference i'm just fooling around *

[Tarq57]

By all means, fool around.
I'd appreciate it if you didn't fool around too much, though, this can be a fairly serious business. Especially in this sub-forum, where people who are infected often come for help.
Serious infections can cost people a lot of money.
By "don't fool around", an example is:

spyware stay in your cookies

This, frankly, is rubbish.
The other aspects of the analogy you posted are somewhat creative, though not especially apropos, to my mind.
(BTW "unlucker" is spelled unlocker.)

[bong2x]

oh sorry! i say that for to investigate :'( i wrote unlucker cause if your not lucky to delete then you can scrap your computer but please sorry again