Author Topic: YolrotX - Backdoor.Win32.Poison.apec not detected by Avast!  (Read 3012 times)

0 Members and 1 Guest are viewing this topic.

Offline Stran05

  • Jr. Member
  • **
  • Posts: 99
YolrotX - Backdoor.Win32.Poison.apec is new malware writen in Visual Basic 6.0
This variant is not detected by Avast. Only 6 antivirus solutions detect this malware:


http://www.virustotal.com/analisis/ec89254ddb24b1c7f750d8c32d6e33d8f20959be410092401bbc28ee0bf19d07-1270075998

Size : 61493 Bytes
Extract itself to %windir%\System32 with 3 different names : update.exe, security.exe, avg.exe
it's also open the internet explorer and tends to surf golo.com website.
Seems it also uses the following library : Microsoft Base Cryptographic Provider v1.0
usename of the author is Basic, so we can name the author Basic .
Also trying to download the following files to system32 .

hxxp://www.oviedolocal3476.com/mail/bin/msm.exe
\system32\updates.exe

hxxp://www.oviedolocal3476.com/mail/bin/plugoff.exe
\system32\securitys.exe

hxxp://www.oviedolocal3476.com/mail/bin/regdllhelper.exe
\system32\drivess.exe

when start to executing, it's also drop a driver named "drive.sys" and "drive.sys.off" to system32\Drivers, had some rootkit behavior, while scanning with RKU it reports try to hide process update.exe .
Open a Handle to Cmd.exe .
seems, there's no hooking behavior available in this sample .
set itself as startup to the following key with 3 different entries:
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CurrentVersion\Run
\System32\avg.exe
\System32\update.exe
\System32\security.exe
easy to kill, just terminate update.exe , security.exe and globo.exe, so the malware become inactive .
vt result : Result: 6/42 (14.29%)


Can you please analyze this malware and add this to the detection list of Avast?

Source: offensivecomputing.net
Intel Core 2 Duo 2.93Mhz, 2GB RAM, Kaspersky Internet Security 2011.

Online polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 30916
  • malware fighter
Re: YolrotX - Backdoor.Win32.Poison.apec not detected by Avast!
« Reply #1 on: May 13, 2010, 03:29:35 PM »
Hi Stran05,

This site was also found to be infected through the linked site you gave:
http://safeweb.norton.com/report/show?url=casasolar2010brasil.com.br%2F&.x=5&.y=11

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 80682
  • No support PMs thanks
Re: YolrotX - Backdoor.Win32.Poison.apec not detected by Avast!
« Reply #2 on: May 13, 2010, 04:48:06 PM »
Send the samples to avast as a Undetected Malware:
Open the chest and right click in the Chest and select Add, navigate to where you have the sample and add it to the chest (see image). Once in the chest, right click on the file and select 'Submit to virus lab...' complete the form and submit, the file will be uploaded during the next update.

WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 18.8.2356/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/

Offline Pondus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 35111
Re: YolrotX - Backdoor.Win32.Poison.apec not detected by Avast!
« Reply #3 on: May 13, 2010, 09:27:29 PM »
an updated VT scan look s a bit better, the one from the poster is from 31/3-2010 ..... ;)

VirusTotal - globo.exe - 39/41
http://www.virustotal.com/analisis/ec89254ddb24b1c7f750d8c32d6e33d8f20959be410092401bbc28ee0bf19d07-1273778570
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline Stran05

  • Jr. Member
  • **
  • Posts: 99
Re: YolrotX - Backdoor.Win32.Poison.apec not detected by Avast!
« Reply #4 on: May 14, 2010, 10:45:09 AM »
Yes, it is bieng detected by Avast for some time around. But it was not detected 2 months ago. The VT scans are old so, at that time only 5 scanners detected this variant. Now 39 of them are able to detect this globo.exe.
Intel Core 2 Duo 2.93Mhz, 2GB RAM, Kaspersky Internet Security 2011.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 80682
  • No support PMs thanks
Re: YolrotX - Backdoor.Win32.Poison.apec not detected by Avast!
« Reply #5 on: May 14, 2010, 02:55:20 PM »
Are you still running avast with the web shield disabled as in your other topic ?

Whilst the web shield wouldn't detect this by signature if it wasn't in the virus definitions, but the web shield has other tricks up its sleeves where it is detecting the exploits/hacked sites/etc. that aren't going by the standard signatures, so it may well be able to prevent this getting on your system without detecting it by signature.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 18.8.2356/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/