W32:Malware-gen showing on scan - maybe Murlo downloader

[ken_turbine]

Back again,

I did a scan tonight and got W32:Malware-gen showing.
This time I sent the file to Virustotal and got the following listing

The file is part of Worms-3D which I have had loaded for several years.

I would appreciate any help please.

Ken turbine

edited to add info :
file is launcher.exe from Worms-3D
detected in natural folder and a restore file

system:
bespoke setup
AMD processor
Win XP home SP3
avast
Spybot S&D

 File Launcher.exe received on 2010.02.23 16:02:51 (UTC)
Current status: finished
Result: 10/41 (24.39%)
Compact Compact
Print results Print results
Antivirus    Version    Last Update    Result
a-squared    4.5.0.50    2010.02.23    Trojan-Downloader.Murlo!IK
AhnLab-V3    5.0.0.2    2010.02.23    -
AntiVir    8.2.1.172    2010.02.23    TR/Dldr.Murlo.ets
Antiy-AVL    2.0.3.7    2010.02.23    Trojan/Win32.Murlo.gen
Authentium    5.2.0.5    2010.02.23    -
Avast    4.8.1351.0    2010.02.23    -
AVG    9.0.0.730    2010.02.23    -
BitDefender    7.2    2010.02.23    -
CAT-QuickHeal    10.00    2010.02.23    TrojanDownloader.Murlo.dyz
ClamAV    0.96.0.0-git    2010.02.23    -
Comodo    4036    2010.02.23    -
DrWeb    5.0.1.12222    2010.02.23    -
eSafe    7.0.17.0    2010.02.23    Win32.TRDldr.Murlo.E
eTrust-Vet    35.2.7323    2010.02.23    -
F-Prot    4.5.1.85    2010.02.22    -
F-Secure    9.0.15370.0    2010.02.23    -
Fortinet    4.0.14.0    2010.02.21    -
GData    19    2010.02.23    -
Ikarus    T3.1.1.80.0    2010.02.23    Trojan-Downloader.Murlo
Jiangmin    13.0.900    2010.02.23    -
K7AntiVirus    7.10.980    2010.02.22    -
Kaspersky    7.0.0.125    2010.02.23    Trojan-Downloader.Win32.Murlo.exq
McAfee    5900    2010.02.22    -
McAfee+Artemis    5900    2010.02.22    Artemis!39A2D3F7BB9A
McAfee-GW-Edition    6.8.5    2010.02.23    Trojan.Dldr.Murlo.ets
Microsoft    1.5406    2010.02.23    -
NOD32    4890    2010.02.23    -
Norman    6.04.08    2010.02.23    -
nProtect    2009.1.8.0    2010.02.23    -
Panda    10.0.2.2    2010.02.22    -
PCTools    7.0.3.5    2010.02.23    -
Prevx    3.0    2010.02.23    -
Rising    22.34.01.03    2010.02.11    -
Sophos    4.50.0    2010.02.23    -
Sunbelt    5694    2010.02.23    Trojan.Win32.Generic!BT
Symantec    20091.2.0.41    2010.02.23    -
TheHacker    6.5.1.6.206    2010.02.23    -
TrendMicro    9.120.0.1004    2010.02.23    -
VBA32    3.12.12.2    2010.02.23    -
ViRobot    2010.2.23.2198    2010.02.23    -
VirusBuster    5.0.27.0    2010.02.23    -
Additional information
File size: 389120 bytes
MD5   : 39a2d3f7bb9a64705ef00bc5e819106d
SHA1  : 68261115f2202cb4784f4efa15da581f39ce5076
SHA256: 4c7a745e15c1ba34285b06f89ca16320612b16bc63983078eab9589cde3d2db5
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0xF132
timedatestamp.....: 0x3F7C4147 (Thu Oct 2 17:16:23 2003)
machinetype.......: 0x14C (Intel I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x28DEE 0x29000 6.61 fa5aa9d4018980e8251a06c414001b3b
.rdata 0x2A000 0xAC62 0xB000 4.93 11c9b0499088a4c97e3f27dadc76cc51
.data 0x35000 0x5994 0x3000 3.41 d4da59d64b9c024b2b9c1bdd4996fb94
.rsrc 0x3B000 0x26080 0x27000 6.66 915a2dcbc31b99155afc7dcdcc618869

( 11 imports )

> advapi32.dll: RegQueryValueExA, RegOpenKeyExA, RegDeleteKeyA, RegEnumKeyA, RegOpenKeyA, RegQueryValueA, RegCreateKeyExA, RegSetValueExA, RegCloseKey
> comctl32.dll: -
> comdlg32.dll: GetFileTitleA
> gdi32.dll: GetBkColor, GetTextColor, CreateRectRgnIndirect, GetRgnBox, GetStockObject, DeleteDC, ExtSelectClipRgn, ScaleWindowExtEx, SetWindowExtEx, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, SetViewportOrgEx, SelectObject, Escape, TextOutA, RectVisible, GetMapMode, CreateBitmap, GetWindowExtEx, GetViewportExtEx, DeleteObject, SetMapMode, RestoreDC, SaveDC, ExtTextOutA, GetObjectA, SetBkColor, SetTextColor, GetClipBox, GetDeviceCaps, PtVisible
> kernel32.dll: VirtualAlloc, GetSystemInfo, VirtualQuery, GetStartupInfoA, GetCommandLineA, ExitProcess, TerminateProcess, HeapReAlloc, HeapSize, LCMapStringA, LCMapStringW, SetUnhandledExceptionFilter, SetEnvironmentVariableA, SetEnvironmentVariableW, HeapDestroy, HeapCreate, VirtualFree, IsBadWritePtr, GetStdHandle, UnhandledExceptionFilter, FreeEnvironmentStringsA, VirtualProtect, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetStringTypeA, GetStringTypeW, GetTimeZoneInformation, IsBadReadPtr, IsBadCodePtr, SetStdHandle, GetExitCodeProcess, CreateProcessA, HeapFree, HeapAlloc, RtlUnwind, GetTickCount, GetFileTime, GetFileAttributesA, FileTimeToLocalFileTime, SetErrorMode, FileTimeToSystemTime, GetOEMCP, GetCPInfo, CreateFileA, GetFullPathNameA, FindFirstFileA, FindClose, GetCurrentProcess, DuplicateHandle, GetFileSize, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, TlsFree, LocalReAlloc, TlsSetValue, TlsAlloc, TlsGetValue, EnterCriticalSection, GlobalHandle, GlobalReAlloc, LeaveCriticalSection, LocalAlloc, DeleteCriticalSection, InitializeCriticalSection, RaiseException, GlobalFlags, InterlockedIncrement, GetCurrentDirectoryA, WritePrivateProfileStringA, InterlockedDecrement, GlobalGetAtomNameA, GlobalFindAtomA, lstrcatA, lstrcmpW, FreeResource, SetLastError, GlobalFree, MulDiv, GlobalUnlock, FormatMessageA, lstrcpynA, LocalFree, WaitForSingleObject, CloseHandle, GlobalAddAtomA, GetCurrentThread, GetCurrentThreadId, GlobalLock, GlobalAlloc, FreeLibrary, GlobalDeleteAtom, lstrcmpA, GetModuleFileNameA, GetModuleHandleA, GetProcAddress, ConvertDefaultLocale, EnumResourceLanguagesA, lstrcpyA, LoadLibraryA, CompareStringW, CompareStringA, lstrlenA, lstrcmpiA, GetVersion, GetLastError, MultiByteToWideChar, WideCharToMultiByte, GetLogicalDrives, GetDriveTypeA, GetVolumeInformationA, FindResourceA, LoadResource, LockResource, SizeofResource, GetSystemDefaultLCID, GetVersionExA, GetThreadLocale, GetLocaleInfoA, GetACP, GetEnvironmentStrings, InterlockedExchange
> ole32.dll: CreateILockBytesOnHGlobal, StgCreateDocfileOnILockBytes, StgOpenStorageOnILockBytes, CoGetClassObject, CLSIDFromString, CLSIDFromProgID, CoTaskMemFree, OleUninitialize, CoFreeUnusedLibraries, CoRegisterMessageFilter, OleFlushClipboard, OleIsCurrentClipboard, CoRevokeClassObject, CoTaskMemAlloc, OleInitialize
> oleaut32.dll: -, -, -, -, -, -, -, -, -, -, -, -
> oledlg.dll: -
> shlwapi.dll: PathFindFileNameA, PathStripToRootA, PathFindExtensionA, PathIsUNCA
> user32.dll: PostThreadMessageA, MessageBeep, GetNextDlgGroupItem, InvalidateRgn, InvalidateRect, CopyAcceleratorTableA, SetRect, IsRectEmpty, CharNextA, GetSysColorBrush, ReleaseCapture, LoadCursorA, SetCapture, EndPaint, BeginPaint, GetWindowDC, ReleaseDC, GetDC, ClientToScreen, GrayStringA, DrawTextExA, DrawTextA, TabbedTextOutA, wsprintfA, DestroyMenu, ShowWindow, MoveWindow, SetWindowTextA, IsDialogMessageA, RegisterWindowMessageA, WinHelpA, GetCapture, CreateWindowExA, GetClassLongA, GetClassInfoExA, GetClassNameA, SetPropA, GetPropA, RemovePropA, SendDlgItemMessageA, SetFocus, IsChild, GetWindowTextLengthA, GetWindowTextA, GetForegroundWindow, RegisterClipboardFormatA, GetTopWindow, UnhookWindowsHookEx, GetMessageTime, GetMessagePos, MapWindowPoints, SetForegroundWindow, UpdateWindow, GetMenu, GetSysColor, AdjustWindowRectEx, EqualRect, GetClassInfoA, RegisterClassA, UnregisterClassA, GetDlgCtrlID, DefWindowProcA, CallWindowProcA, SetWindowLongA, DrawIcon, AppendMenuA, SendMessageA, GetSystemMenu, IsIconic, GetClientRect, EnableWindow, LoadIconA, GetSystemMetrics, EnumDisplaySettingsA, CharUpperA, OffsetRect, IntersectRect, SystemParametersInfoA, GetWindowPlacement, GetWindowRect, CopyRect, PtInRect, GetWindow, SetWindowContextHelpId, MapDialogRect, SetWindowPos, GetDesktopWindow, SetActiveWindow, CreateDialogIndirectParamA, DestroyWindow, IsWindow, GetDlgItem, GetNextDlgTabItem, EndDialog, GetMenuItemID, GetMenuItemCount, GetSubMenu, SetMenuItemBitmaps, GetFocus, PostMessageA, PostQuitMessage, SetCursor, IsWindowEnabled, GetLastActivePopup, GetWindowLongA, GetParent, MessageBoxA, ValidateRect, GetCursorPos, PeekMessageA, GetKeyState, IsWindowVisible, GetActiveWindow, DispatchMessageA, TranslateMessage, GetMessageA, CallNextHookEx, SetWindowsHookExA, LoadBitmapA, GetMenuCheckMarkDimensions, CheckMenuItem, EnableMenuItem, GetMenuState, ModifyMenuA
> winspool.drv: OpenPrinterA, DocumentPropertiesA, ClosePrinter

( 0 exports )
TrID  : File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
ssdeep: 6144:+OlRzkvXYrYNip47mxAGElRS60U1P3tuOLy5h29f0:+wWvXYrfmSxAGsY6nP8eIhE0
sigcheck: publisher....: Team17 Software Ltd
copyright....: Copyright (C) 2003 Team17 Ltd
product......: Launcher Application
description..: Worms3D Launcher Application
original name: Launcher.EXE
internal name: Launcher
file version.: 1, 0, 0, 1
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
PEiD  : -
RDS   : NSRL Reference Data Set
-

ATENTION ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

[hpguru]

Send this file to virus(at)avast(dot)com

- subject: virus report etc.
- attach zip (password protected)
- password to email content example password: xx xx

[ken_turbine]

hpguru
Sorry to be pedantic, but I do not want to make any mistakes.

You wish me to put the 'infected' file into password protected zip file
then e-mail it to the address given, in an e-Mail which also has the password .
Is this correct?

Ken turbine

[hpguru]

If I understand you correctly, you want to know why avast doesn't find virus by VirusTotal service. If so, please send a virus in the above instructions to avast for laboratory testing.

Yes, this is correct.

[polonus]

Hi ken_turbine,

The malware can be cured with SAS, Superantispyware, use it and it will find spyware and trojans that are missed by all others or unable to clean.
donload from: http://www.superantispyware.com

Another anti-malware scanner that removes this is MBAM, download from:
http://www.malwarebytes.org/mbam-download.php

polonus

[ken_turbine]

Polonus,
I have downloaded SAS, but it has not gone to the normal place my downloads go to (a 'Downloads' folder) any ideas where it will have gone and if I cannot find it is it OK to download again?

Ken

Found it - looking for new folder not straight file  -  Doh!

[hpguru]

Do you try check web browser options or Windows search?

[ken_turbine]

I restored the file from the Virus Chest (my first reaction to any warning is to put it in the chest and then find out about it). I have run SAS and it has come up clean apart from fixing five tracker cookies.
I am puzzled, is this a possible false positive or did SAS identify the trojan as a tracker and eliminate it?

Ken turbine

[hpguru]

In my opinion you should try the Malwarebytes' Anti-Malware. Remember update database first. False positive is possible, i recommended you send this file to Alwil virus lab.

[ken_turbine]

hpguru
               I have now also run a Malwarebytes scan and the log is posted below. As I understand it, MWB found a couple of bad Registry entries, but no infected files. Should I now submit the file as a potential false positive? If so, is the Windows 'Compressed folder' sufficient or will I need to activate Winzip?

Regards,
Ken


Malwarebytes' Anti-Malware 1.44
Database version: 3796
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

26/02/2010 21:58:19
mbam-log-2010-02-26 (21-58-19).txt

Scan type: Quick Scan
Objects scanned: 116777
Time elapsed: 4 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\Homepage (Hijack.Homepage) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[hpguru]

Maybe. You take avast better, if you send virus to lab that avast not detect properly.

To zip yuo may try free IZarc. http://www.izarc.org/

[ken_turbine]

I have attempted to send the file in a zip as recommended, but have had trouble getting the file to zip up

Ken turbine

[hpguru]

Try free IZarc?

[ken_turbine]

Having monitor problems so will keep this quick
New signatures scan clear for MBAM and Avast
Many thanks to everyone who helped.

[ken_turbine]

hpguru,
used IZarc with good results

have still got monitor probs so will quit now

thanks Ken