Author Topic: flvdirect.exe  (Read 5955 times)

Offline logos

  • avast! Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9456
  • Gender: Male
    • Personal Message (Offline)
flvdirect.exe
« on: May 13, 2010, 10:56:45 AM »
my wife downloaded that, not sure how, came from a mail I think, she probably clicked on an attachment randomly ::) I found it in a shared folder, knew I never put it there, and it disappeared from view as soon as I clicked on it (I know I shouldn't have clicked, I should have scanned it first ::) ). Okay I then found it in Chest on her laptop, explaining how it disappeared as I said.
 One question I have here is why wasn't it scanned and sent to Chest immediately when it was saved to disk in the first place. That's an executable, so why was it ignored until it got manually executed ??? (not mentioning that the webshield didn't stop it).

just for info: the file was called flvdirect.exe
info from prevx:
http://www.prevx.com/filenames/X2669713580830956212-X1/FLVDIRECT.EXE.html

Quote
File Behavior

FLVDIRECT.EXE has been seen to perform the following behavior:

Writes to another Process's Virtual Memory (Process Hijacking)
This process creates other processes on disk
Executes a Process
Registers a Dynamic Link Library File
Creates new folders on the system
This Process Deletes Other Processes From Disk
Injects code into other processes
Found on infected systems and resists interrogation by security products
FLVDIRECT.EXE has been the subject of the following behavior:

Created as a process on disk
Executed as a Process
Has code inserted into its Virtual Memory space by other programs
Terminated as a Process

edit: forgot to mention I submitted it to avast from the Chest interface.
more here:
https://www.virustotal.com/analisis/31d8d11054490283cc52970a02d197e37ac68bd1b910d5fec587c73349be3e3c-1273749497

original site where the malware got downloaded (through using their services...):
hxxp://www.123greetingcard.com/
« Last Edit: May 13, 2010, 11:47:44 AM by Logos »
w7 - ais7

Offline Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21683
  • Gender: Male
    • Personal Message (Offline)
Re: flvdirect.exe
« Reply #1 on: May 13, 2010, 11:28:00 AM »
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline logos

  • avast! Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9456
  • Gender: Male
    • Personal Message (Offline)
Re: flvdirect.exe
« Reply #2 on: May 13, 2010, 11:34:44 AM »
http://forum.avast.com/index.php?topic=58861.0

thanks ;) at least it was sent to chest here, but just after clicking. I'd like to know what they mean by "resident shield" sometimes  ::)
w7 - ais7

Offline logos

  • avast! Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9456
  • Gender: Male
    • Personal Message (Offline)
Re: flvdirect.exe
« Reply #3 on: May 13, 2010, 12:24:28 PM »
bump:
1 I'd like to know why the web shield didn't intercept the file and abort the download connection
2 I'd like to know why a malicious executable isn't sent to Chest (by the file shield) as soon as it's saved to disk



                                      thank you :)

ps:  for the fs behavior, may be because it's already blocked from self-execution by Windows?
« Last Edit: May 13, 2010, 12:29:38 PM by Logos »
w7 - ais7

Offline logos

  • avast! Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9456
  • Gender: Male
    • Personal Message (Offline)
Re: flvdirect.exe
« Reply #4 on: May 13, 2010, 01:58:07 PM »
bump:

what is the set of default extensions included when the file system shield scans on writing? doesn't include *.exe ???
w7 - ais7

Offline Vlk

  • Global Moderator
  • Serious Graphoman
  • **
  • Posts: 11566
  • Gender: Male
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
    • Personal Message (Offline)
Re: flvdirect.exe
« Reply #5 on: May 13, 2010, 04:55:32 PM »
Wasn't it started being detected by VPS 100513-1?
I.e. at the time the file was downloaded / saved to disk, it wasn't being detected yet...
If at first you don't succeed, then skydiving's not for you.

Offline logos

  • avast! Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9456
  • Gender: Male
    • Personal Message (Offline)
Re: flvdirect.exe
« Reply #6 on: May 13, 2010, 04:58:53 PM »
Wasn't it started being detected by VPS 100513-1?
I.e. at the time the file was downloaded / saved to disk, it wasn't being detected yet...

no it was only detected when I clicked on it (it's pure hazard if I found it) and that was earlier today with 100513-0. And I'm sure it was downloaded today.
w7 - ais7

Offline logos

  • avast! Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9456
  • Gender: Male
    • Personal Message (Offline)
Re: flvdirect.exe
« Reply #7 on: May 13, 2010, 05:04:22 PM »
and the problem is that I have no way atm to simulate a new download of it (to compare with the new database behavior); if I restore it from Chest it will just be restored to a folder of my choice and that's it, until I either execute it or scan it.
 I might do that later from the mail it came from (not my mail box and not on my laptop)...after removing it from Chest there first to make sure there's no old detection referred to...
w7 - ais7

llariel

  • Guest
Re: flvdirect.exe
« Reply #8 on: May 13, 2010, 05:20:24 PM »
FLVdirect.exe is a quite old adware, I found it a few months ago, and so I sent for analysis. Yet still without being detected by avast?

edit: Ok, avast is detecting it.
« Last Edit: May 13, 2010, 05:26:50 PM by Llanziel »

Offline logos

  • avast! Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9456
  • Gender: Male
    • Personal Message (Offline)
Re: flvdirect.exe
« Reply #9 on: May 13, 2010, 05:22:55 PM »
FLVdirect.exe is a quite old adware, I found it a few months ago, and so I sent for analysis. Yet still without being detected by avast?

no no it is detected by the file system shield, but only once you click on it, not when first saved to disk during the download (and of course the webshield doesn't detect it ).
w7 - ais7

Offline polonus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 20129
  • Gender: Male
  • malware fighter
    • Personal Message (Offline)
Re: flvdirect.exe
« Reply #10 on: May 13, 2010, 06:02:25 PM »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline logos

  • avast! Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9456
  • Gender: Male
    • Personal Message (Offline)
Re: flvdirect.exe
« Reply #11 on: May 13, 2010, 06:05:02 PM »
thanks ;)
w7 - ais7

Offline logos

  • avast! Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9456
  • Gender: Male
    • Personal Message (Offline)
Re: flvdirect.exe
« Reply #12 on: May 13, 2010, 06:25:39 PM »
okay solved ;D >>> two alerts when attempting to download it from the original web site hxxp://www.flvdirect.com/ (I thought it was bundled to another site with subscription, that's why I didn't try to find the file before).
 1st alert from the web shield, but the file is still downloaded, and then blocked automatically by the file system shield. Wondering why the web shield doesn't block every thing, but fine, that's better than the previous behavior. See screen shots

ps: this was in Chrome, and the behavior in Firefox is a bit different >>> first similar web shield alert, and second alert from the file shield, very quickly, not enough time to click on save. Also, that's a Windows process being involved when the detection is done from Firefox.
« Last Edit: May 13, 2010, 06:34:45 PM by Logos »
w7 - ais7

Offline logos

  • avast! Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9456
  • Gender: Male
    • Personal Message (Offline)
Re: flvdirect.exe
« Reply #13 on: May 13, 2010, 06:34:00 PM »
so one last question remains: why doesn't the web shield block the download too ???
w7 - ais7

llariel

  • Guest
Re: flvdirect.exe
« Reply #14 on: May 14, 2010, 03:02:43 PM »
so one last question remains: why doesn't the web shield block the download too ???

True, Network Shield recently detected a malicious website, and I had access. Without block. I think it should be a bug in the current version. 5.0.545

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now