Author Topic: Samples missed by avast (VirusTotal links only!)  (Read 413646 times)

0 Members and 2 Guests are viewing this topic.


Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33885
  • malware fighter
Re: Samples missed by avast (VirusTotal links only!)
« Reply #541 on: December 19, 2011, 04:00:48 PM »
mdl_trojan Winlock/FakePoliceAlert to unknown_exe miised by avast see:
http://www.virustotal.com/file-scan/report.html?id=e874026aeae1c7182d8155dc2ca76887e1b31bd882f3626a56b7a0d3a9dc4531-1324293612
see: -http://urlquery.net/report.php?id=12533
WOT would stop you to go there any way because of very bad web rep:
http://www.webutation.net/go/review/git7868777777777.nl.ai

pol
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!


Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33885
  • malware fighter
Re: Samples missed by avast (VirusTotal links only!)
« Reply #543 on: December 19, 2011, 04:31:13 PM »
Hi razoreqx,

Good find. PM-ed you about whyI think it is definitely trojan malcode i.m.o. Thanks for adding to avast detection,

pol
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

razoreqx

  • Guest
Re: Samples missed by avast (VirusTotal links only!)
« Reply #544 on: December 19, 2011, 04:33:49 PM »
Hi razoreqx,

Good find. PM-ed you about whyI think it is definitely trojan malcode i.m.o. Thanks for adding to avast detection,

pol

No thanks to you my friend!   You're an amazing researcher (and a good teacher)!


razoreqx

  • Guest
Re: Samples missed by avast (VirusTotal links only!)
« Reply #546 on: December 19, 2011, 05:30:40 PM »
http://www.virustotal.com/file-scan/report.html?id=9c6008d77f2486a143405d295cb57729d8c8759bf4515aaa2f6b6fea149ce3f5-1324311747

http://virusscan.jotti.org/en/scanresult/36084b8cef9c33f286ed25e79a2d422978ed6c61


FakeAV.HDD


Server DNS Name: manateigolkey.com   Service Port: 80
Direction Command User-Agent Host Connection Pragma
GET /up.php?0Q9oBPXEN0uECUgzEJ95RQsagj3vq1aG3F/2q5oNqwOd0A== HTTP/1.1 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727) manateigolkey.com   
Others Cache-Control: no-cache 
 
 
Server DNS Name: thelangleuber.com   Service Port: 80
Direction Command User-Agent Host Connection Pragma
GET /up.php?0Q9oBPXEN0uECUgzEJ95RQsagj3vq1aG3F/2q5oNqwOd0A== HTTP/1.1 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727) thelangleuber.com   
Others Cache-Control: no-cache 
 
 
Server DNS Name: sixboysowners.com   Service Port: 80
Direction Command User-Agent Host Connection Pragma
GET /up.php?0Q9oBPXEN0uECUgzEJ95RQsagj3vq1aG3F/2q5oNqwOd0A== HTTP/1.1 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727) sixboysowners.com   
Others Cache-Control: no-cache 
 
 
Server DNS Name: lotughtdenve.com   Service Port: 80
Direction Command User-Agent Host Connection Pragma
GET /up.php?0Q9oBPXEN0uECUgzEJ95RQsagj3vq1aG3F/2q5oNqwOd0A== HTTP/1.1 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727) lotughtdenve.com   
Others Cache-Control: no-cache 
 
 
Server DNS Name: gelongotbalebs.com   Service Port: 80
Direction Command User-Agent Host Connection Pragma
GET /?ylOdR9GQqXquMlTvsmXlkaz1x3EX+A== HTTP/1.1 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727) gelongotbalebs.com   
Others Cache-Control: no-cache 
 
 
Server DNS Name: shatretodangun.com   Service Port: 80
Direction Command User-Agent Host Connection Pragma
GET /up.php?0Q9oBPXEN0uECUgzEJ95RQsagj3vq1aG3F/2q5oNqwOd0A== HTTP/1.1 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727) shatretodangun.com   
Others Cache-Control: no-cache 
 
 
Server DNS Name: cozumesubar.com   Service Port: 80
Direction Command User-Agent Host Connection Pragma
GET /up.php?0Q9oBPXEN0uECUgzEJ95RQsagj3vq1aG3F/2q5oNqwOd0A== HTTP/1.1 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727) cozumesubar.com   
Others Cache-Control: no-cache 
 
 
Server DNS Name: rubesolanolex.com   Service Port: 80
Direction Command User-Agent Host Connection Pragma
GET /up.php?0Q9oBPXEN0uECUgzEJ95RQsagj3vq1aG3F/2q5oNqwOd0A== HTTP/1.1 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727) rubesolanolex.com   
Others Cache-Control: no-cache 
 
 
Server DNS Name: zownerubpres.com   Service Port: 80
Direction Command User-Agent Host Connection Pragma
GET /?ylOdR9GQqXquMlTvsmXlkaz1x3EX+A== HTTP/1.1 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727) zownerubpres.com   
Others Cache-Control: no-cache 
 
 
Server DNS Name: nuberolubenyc.com   Service Port: 80
Direction Command User-Agent Host Connection Pragma
GET /?ylOdR9GQqXquMlTvsmXlkaz1x3EX+A== HTTP/1.1 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727) nuberolubenyc.com   
Others Cache-Control: no-cache 
 
 
« Last Edit: December 19, 2011, 05:47:11 PM by razoreqx »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33885
  • malware fighter
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!


Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37491
  • Not a avast user
Re: Samples missed by avast (VirusTotal links only!)
« Reply #549 on: December 20, 2011, 04:03:54 PM »
@razoreqx

That looks like a CNET download installer.....FP ?.....or does it comes with AdWare



sigcheck:
publisher....: CNET Download.com
copyright....: CBS Interactive
product......: CNET Download.com Installer
description..: CNET Download.com Install
original name: n/a
internal name: CNET Download.com Installer
file version.: v2.0.2.108
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
« Last Edit: December 20, 2011, 04:13:53 PM by Pondus »

razoreqx

  • Guest
Re: Samples missed by avast (VirusTotal links only!)
« Reply #550 on: December 20, 2011, 04:08:49 PM »
@razoreqx

That looks like a CNET download installer.....FP ?



sigcheck:
publisher....: CNET Download.com
copyright....: CBS Interactive
product......: CNET Download.com Installer
description..: CNET Download.com Install
original name: n/a
internal name: CNET Download.com Installer
file version.: v2.0.2.108
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned


Got the ThreatExpert report back on that too.   Remind me never to download anything from cNET!!
Im not sure I would call this FP.  Did you see the remote host calls?   


Code: [Select]
00000000 | 3041 3043 7A75 7443 3051 7443 3046 7442 | 0A0CzutC0QtC0FtB
00000010 | 3057 7443 3047 7443 3049 7443 3046 7443 | 0WtC0GtC0ItC0FtC
00000020 | 3054 7443 3051 325A 3046 7443 3052 7443 | 0TtC0Q2Z0FtC0RtC
00000030 | 3046 7443 3048 744E 3050 3143 3049 3044 | 0FtC0HtN0P1C0I0D
00000040 | 7A75 3151 3147 3149 3151 7446 3152 3146 | zu1Q1G1I1QtF1R1F
00000050 | 3148 744E 3055 3049 3044 7A75 7444 7444 | 1HtN0U0I0DzutDtD
00000060 | 7444 3043 7442 7A79 3043 3042 7443 7A7A | tD0CtBzy0C0BtCzz
00000070 | 7942 7443 3044 7443 3041 7945 7444 744E | yBtC0DtC0AyEtDtN
00000080 | 3057 3056 7A75 7944 7446 7443 744E 3057 | 0W0VzuyDtFtCtN0W
00000090 | 3053 3050 7A75 7442 744E 3050 3143 3053 | 0S0PzutBtN0P1C0S
000000A0 | 3259 3153 7A75 744A 3156 3057 3150 3043 | 2Y1SzutJ1V0W1P0C
000000B0 | 3154 3143 3150 744E 3052 3053 7A75 7449 | 1T1C1PtN0R0SzutI
000000C0 | 744E 3054 304B 7A75 7944 7442 7943 7943 | tN0T0KzuyDtByCyC
000000D0 | 7A7A 744E 3057 3150 3043 3154 3143 3150 | zztN0W1P0C1T1C1P
000000E0 | 3053 3150 3142 3142 314C 3146 3147 7A75 | 0S1P1B1B1L1F1Gzu
000000F0 | 7443 7A79 7942 7942 3154 7944 3151 3152 | tCzyyByB1TyD1Q1R
00000100 | 7447 7A7A 7A79 7443 7944 7447 3154 3150 | tGzzzytCyDtG1T1P
00000110 | 7944 3150 7447 7943 7942 3151 7944 7447 | yD1PtGyCyB1QyDtG
00000120 | 3152 7443 314F 7945 3151 3151 7441 3152 | 1RtC1OyE1Q1QtA1R
00000130 | 7444 3153 7942 7442 744E 3049 3052 3056 | tD1SyBtBtN0I0R0V
00000140 | 3045 3052 7A75 7944 7446 7442 7442 744E | 0E0RzuyDtFtBtBtN
00000150 | 3042 3052 3057 7A75 3049 3045 3058 3050 | 0B0R0Wzu0I0E0X0P
00000160 | 304C 304F 3052 3045 7446 3045 3058 3045 | 0L0O0R0EtF0E0X0E
00000170 | 744E 3048 3154 3142 304C 304D 7A75 7443 | tN0H1T1B0L0MzutC
00000180 | 744E 3052 304E 3154 3148 3150 7A75 3152 | tN0R0N1T1H1Pzu1R
00000190 | 744F 7441 3041 744F 7944 3043 3257 314C | tOtA0AtOyD0C2W1L
000001A0 | 3147 3151 3146 3257 3142 744F 7944 3043 | 1G1Q1F2W1BtOyD0C
000001B0 | 3142 3255 3142 325A 3150 3148 7441 7442 | 1B2U1B2Z1P1HtAtB
000001C0 | 744F 7944 3043 3142 3154 3148 3145 3149 | tOyD0C1B1T1H1E1I
000001D0 | 3150 3156 7443 7446 3150 3256 3150 744E | 1P1VtCtF1P2V1PtN
000001E0 | 304C 3154 3147 314E 7A75 3045 3147 314E | 0L1T1G1Nzu0E1G1N
000001F0 | 3149 314C 3142 314D 744E 3049 3045 3056 | 1I1L1B1MtN0I0E0V
00000200 | 3150 3143 7A75 7943 7446 7444 7446 7442 | 1P1CzuyCtFtDtFtB
00000210 | 7A79 7444 7444 7446 7442 7443 7A7A 7444 | zytDtDtFtBtCzztD
00000220 | 744E 304A 3053 7A75 7443 744E 3142 325A | tN0J0SzutCtN1B2Z
00000230 | 3154 3143 325A 3150 3151 7A75 7443 744E | 1T1C2Z1P1QzutCtN
00000240 | 3142 325A 3154 3148 3145 7A75 7443 7444 | 1B2Z1T1H1EzutCtD
00000250 | 7443 7443 7441 7945 7444 7443 744E 304C | tCtCtAyEtDtCtN0L
00000260 | 304D 3156 3053 3045 3043 7A75 7442 744E | 0M1V0S0E0CzutBtN
00000270 | 3154 3145 314C 304C 3146 3154 3151 3054 | 1T1E1L0L1F1T1Q0T
00000280 | 314C 3148 3150 7A75 7945 7943 7A7A 744E | 1L1H1PzuyEyCzztN
00000290 | 3154 3145 314C 3050 3143 3146 3151 3044 | 1T1E1L0P1C1F1Q0D
000002A0 | 3154 325A 3150 7A75 7442 7444 7444 7945 | 1T2Z1PzutBtDtDyE
000002B0 | 7447 7444 7441 7447 7443 7444 744E 3154 | tGtDtAtGtCtDtN1T
000002C0 | 3145 314C 3050 3143 3146 3151 3053 314C | 1E1L0P1C1F1Q0S1L
000002D0 | 3254 3150 7A75 7945 7942 7442 7A79 7444 | 2T1PzuyEyBtBzytD
000002E0 | 7942 7A7A 744E 3145 3154 314E 3150 3048 | yBzztN1E1T1N1P0H
000002F0 | 314C 3142 325A 3146 3143 3255 7A75 3149 | 1L1B2Z1F1C2Uzu1I
00000300 | 3146 3154 3151 314C 3147 314E 3050 3154 | 1F1T1Q1L1G1N0P1T
00000310 | 314E 3150 7448 7942 7443 7A79 744F 7441 | 1N1PtHyBtCzytOtA
00000320 | 3042 3257 3150 3149 3152 3146 3148 3150 | 0B2W1P1I1R1F1H1P
00000330 | 3050 3154 314E 3150 7448 7442 7A79 7942 | 0P1T1N1PtHtBzyyB
00000340 | 744F 7441 3042 3146 314F 314F 3150 3143 | tOtA0B1F1O1O1P1C
00000350 | 3050 3154 314E 3150 7448 7443 7441 7944 | 0P1T1N1PtHtCtAyD
00000360 | 7A79                                    | zy

This went over port 80.  Looks like a CERT? 
« Last Edit: December 20, 2011, 04:18:10 PM by razoreqx »

MD Rockstar

  • Guest
Re: Samples missed by avast (VirusTotal links only!)
« Reply #551 on: December 20, 2011, 10:38:15 PM »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37491
  • Not a avast user
Re: Samples missed by avast (VirusTotal links only!)
« Reply #552 on: December 20, 2011, 10:45:44 PM »
http://www.virustotal.com/file-scan/report.html?id=c0ed59b993c085a9ed81dd955ac3a8d8f83992a68f8ff731330812f7bea9c4d3-1324307337


Do i need to send the file to avast.com or virus total link is ok ?
send it in a password protected zip file to  virus @ avast.com
mail subject:  undetected sample
zip password:  infected

it is recommended to use a zip program that also encrypt the file, this will prevent it form being blocked
winrar or 7zip will do this...

« Last Edit: December 20, 2011, 10:49:35 PM by Pondus »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33885
  • malware fighter
Re: Samples missed by avast (VirusTotal links only!)
« Reply #553 on: December 21, 2011, 02:00:08 AM »
Pondus,

You can also find it here: http://forums.malwarebytes.org/index.php?showtopic=102430
contributor = osso  Just searched for the MD5 hash, easy peasy,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33885
  • malware fighter
Re: Samples missed by avast (VirusTotal links only!)
« Reply #554 on: December 21, 2011, 02:24:42 AM »
Not detected unknown_file_Delivery.Pdf: http://www.virustotal.com/url-scan/report.html?id=2760a374f86eae024e9093bece8fbff9-1324426373
see: http://www.virustotal.com/file-scan/report.html?id=a507423dafb1b47af556093f48f21ded75801a0b78d1d422074a802b13079d85-1324430098
Detected by DrWeb URL scanner:
Checking: -http://academiamates.com/Delivery.zip?PuremobileIncID97089437
Engine version: 5.0.2.3300
Total virus-finding records: 2953092
File size: 47.07 KB
File MD5: 93e77bfff47d620ace7cce9c6a303fe0

-http://academiamates.com/Delivery.zip?PuremobileIncID97089437 - archive ZIP
>-http://academiamates.com/Delivery.zip?PuremobileIncID97089437/Delivery.Pdf____________________________________________________________________________________.exe infected with Trojan.Siggen3.31711

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!