YolrotX - Backdoor.Win32.Poison.apec not detected by Avast!

[Stran05]

YolrotX - Backdoor.Win32.Poison.apec is new malware writen in Visual Basic 6.0
This variant is not detected by Avast. Only 6 antivirus solutions detect this malware:


http://www.virustotal.com/analisis/ec89254ddb24b1c7f750d8c32d6e33d8f20959be410092401bbc28ee0bf19d07-1270075998

Size : 61493 Bytes
Extract itself to %windir%\System32 with 3 different names : update.exe, security.exe, avg.exe
it's also open the internet explorer and tends to surf golo.com website.
Seems it also uses the following library : Microsoft Base Cryptographic Provider v1.0
usename of the author is Basic, so we can name the author Basic .
Also trying to download the following files to system32 .

hxxp://www.oviedolocal3476.com/mail/bin/msm.exe
\system32\updates.exe

hxxp://www.oviedolocal3476.com/mail/bin/plugoff.exe
\system32\securitys.exe

hxxp://www.oviedolocal3476.com/mail/bin/regdllhelper.exe
\system32\drivess.exe

when start to executing, it's also drop a driver named "drive.sys" and "drive.sys.off" to system32\Drivers, had some rootkit behavior, while scanning with RKU it reports try to hide process update.exe .
Open a Handle to Cmd.exe .
seems, there's no hooking behavior available in this sample .
set itself as startup to the following key with 3 different entries:
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CurrentVersion\Run
\System32\avg.exe
\System32\update.exe
\System32\security.exe
easy to kill, just terminate update.exe , security.exe and globo.exe, so the malware become inactive .
vt result : Result: 6/42 (14.29%)


Can you please analyze this malware and add this to the detection list of Avast?

Source: offensivecomputing.net

[polonus]

Hi Stran05,

This site was also found to be infected through the linked site you gave:
http://safeweb.norton.com/report/show?url=casasolar2010brasil.com.br%2F&.x=5&.y=11

polonus

[DavidR]

Send the samples to avast as a Undetected Malware:
Open the chest and right click in the Chest and select Add, navigate to where you have the sample and add it to the chest (see image). Once in the chest, right click on the file and select 'Submit to virus lab...' complete the form and submit, the file will be uploaded during the next update.

[Pondus]

an updated VT scan look s a bit better, the one from the poster is from 31/3-2010 .....

VirusTotal - globo.exe - 39/41
http://www.virustotal.com/analisis/ec89254ddb24b1c7f750d8c32d6e33d8f20959be410092401bbc28ee0bf19d07-1273778570

[Stran05]

Yes, it is bieng detected by Avast for some time around. But it was not detected 2 months ago. The VT scans are old so, at that time only 5 scanners detected this variant. Now 39 of them are able to detect this globo.exe.

[DavidR]

Are you still running avast with the web shield disabled as in your other topic ?

Whilst the web shield wouldn't detect this by signature if it wasn't in the virus definitions, but the web shield has other tricks up its sleeves where it is detecting the exploits/hacked sites/etc. that aren't going by the standard signatures, so it may well be able to prevent this getting on your system without detecting it by signature.