Author Topic: Samples missed by avast (VirusTotal links only!)  (Read 414152 times)

0 Members and 1 Guest are viewing this topic.


true indian

  • Guest

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Samples missed by avast (VirusTotal links only!)
« Reply #722 on: May 17, 2012, 03:57:40 PM »
Hi true indian,

Could well be that bmp.exe is found up by avast flagged as PUP risktool. For safe variants of that media player tool see: htxp://www.backgroundtask.eu/Systeemtaken/taakinfo/30932/BMP.exe/
htxp://www.runscanner.net/lib/bmp.exe.html and
where this Chinese active malcode is being flagged as TR/FlyStudio.AI.1129, see: htxp://zulu.zscaler.com/submission/show/002b26f390d7be7416d1574ab05c8298-1337262299 avast does not detect it yet (possibly as PUP when run): hxtp://vscan.urlvoid.com/analysis/0cb2f654fd22256efa7ae84f2b8c9625/Ym1wLWV4ZQ==/
See Comodo analysis here: htxp://camas.comodo.com/cgi-bin/submit?file=84c90377421a63cfe767c17d7079877b7dab0f4c63d6b0d9f87ddb48e7a50360
Another variant of mentioned TR/FlyStudio.AI.1129 trojan-dropper is: File Name: shengguangtupian.ex-
MD5: 0cb2f654fd22256efa7ae84f2b8c9625
974890   AntiVir   2009/06/12 11:17:27 (CEST)
Meaning that bmp.exe is a 2009 variant trojan dropper that was resurrected and re-launched 2 days ago, so old wine in new sacks really,
reported the above to virus AT avast dot com for verification,

polonus
« Last Edit: May 17, 2012, 04:01:59 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Samples missed by avast (VirusTotal links only!)
« Reply #723 on: May 17, 2012, 04:22:09 PM »
Not detected by avast: htxps://www.virustotal.com/file/528e5fe23f9208f9f3726fdcd794517d3df3eaaef4b055ef88017eb9bc9fadc2/analysis/
see: htxp://zulu.zscaler.com/submission/show/bad6c4bbfdb76b8cc8abeaf333ae3014-1337263557

A block should be considered because there are 18 reports of various  MSIL/Solimba application or Gen:Variant.Barys.2069 active from that domain &
bad host for 1 yr and 7 months on 896 appearances in spam e-mail or spam post urls.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

true indian

  • Guest
Re: Samples missed by avast (VirusTotal links only!)
« Reply #724 on: May 17, 2012, 06:05:26 PM »
Hi true indian,

Could well be that bmp.exe is found up by avast flagged as PUP risktool. For safe variants of that media player tool see: htxp://www.backgroundtask.eu/Systeemtaken/taakinfo/30932/BMP.exe/
htxp://www.runscanner.net/lib/bmp.exe.html and
where this Chinese active malcode is being flagged as TR/FlyStudio.AI.1129, see: htxp://zulu.zscaler.com/submission/show/002b26f390d7be7416d1574ab05c8298-1337262299 avast does not detect it yet (possibly as PUP when run): hxtp://vscan.urlvoid.com/analysis/0cb2f654fd22256efa7ae84f2b8c9625/Ym1wLWV4ZQ==/
See Comodo analysis here: htxp://camas.comodo.com/cgi-bin/submit?file=84c90377421a63cfe767c17d7079877b7dab0f4c63d6b0d9f87ddb48e7a50360
Another variant of mentioned TR/FlyStudio.AI.1129 trojan-dropper is: File Name: shengguangtupian.ex-
MD5: 0cb2f654fd22256efa7ae84f2b8c9625
974890   AntiVir   2009/06/12 11:17:27 (CEST)
Meaning that bmp.exe is a 2009 variant trojan dropper that was resurrected and re-launched 2 days ago, so old wine in new sacks really,
reported the above to virus AT avast dot com for verification,

polonus

thanks polonus u are quick person and a good teacher!  ;)



true indian

  • Guest
« Last Edit: May 17, 2012, 07:11:35 PM by true indian »

true indian

  • Guest
« Last Edit: May 17, 2012, 07:04:11 PM by true indian »

true indian

  • Guest
Re: Samples missed by avast (VirusTotal links only!)
« Reply #729 on: May 17, 2012, 06:59:05 PM »
Rootkit Sinowal/Mebroot

As a side note,i can confirm these are real rootkit samples...found them on many on my clients machines during remote assistance online...they are fresh ones spreading here in india....anubody who wants samples please PM me  ;D

true indian

  • Guest
Re: Samples missed by avast (VirusTotal links only!)
« Reply #730 on: May 17, 2012, 07:13:13 PM »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37504
  • Not a avast user
Re: Samples missed by avast (VirusTotal links only!)
« Reply #731 on: May 17, 2012, 07:32:05 PM »
Ransom Kuluoz

https://www.virustotal.com/file/361e0b4554ca3748f3400138dded289532f7aa53fd1c2b2fd2e921df531cdf21/analysis/1337270928/

remains undetected....

http://zulu.zscaler.com/submission/show/fa1f2b17cb31d1b0bb10da8ead1058e1-1337270982

reported to avast!  ;)


First seen by VirusTotal
 2010-06-25 09:46:39 UTC ( 1 år, 10 måneder ago )     yea.....must be malware   ;)

Sigcheck
publisher................: MBTY
product..................: RansomHide
internal name............: ransomhide
file version.............: 0.06.0024
original name............: ransomhide.exe
comments.................: For http://forum.simplix.ks.ua






« Last Edit: May 18, 2012, 08:21:19 AM by Pondus »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37504
  • Not a avast user
« Last Edit: May 17, 2012, 07:49:54 PM by Pondus »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Re: Samples missed by avast (VirusTotal links only!)
« Reply #734 on: May 17, 2012, 10:53:55 PM »
Rogue Super scan 4

https://www.virustotal.com/file/dc01f0835207ad7264284e20b0c02048f8705c813c2c8d7071ed2f653d0209aa/analysis/

Should be flagged as PUP, if flagged at all.

See: hXtp://www.mcafee.com/us/downloads/free-tools/superscan.aspx
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."