Avast Doesn't Detect "Application Pack" Virus / Malware

[shinkaide]

Hi guys,

Today I received a suspicious email regarding an "application" for a job, with a link to a file hosting service to download the "application pack". It immediately raised red flags for me, but I downloaded it anyway with the intention to check it out.

For the record, I'm running the Avast! antivirus for Linux and a Pro version on my Dad's Business Laptop. Also, ClamTK on linux. All of them scanned the files as clean.

The file was zipped and contained two insidious little .exe files named ApplicationForm.exe and JobDescription.exe respectively. The thing about these files was that they had the icons of MSWord files. You could see plainly when you use Nautilus to view the files that they weren't on the level. On Windows, however, there is nothing that'd give a non-techie user any reason to think twice before running these files.

In fact, a few minutes after I blogged about this very thing, my mom called me up all the way from London (I'm in the Philippines) sobbing and telling me how her online financial accounts had been compromised. She described everything to me, from the email, the files, and the sender, and it matched all of it. (We are now working to recover her accounts).

I had installed Avast on her computer some years back and taught her how to update it consistently and run system scans, BTW.

So I'm kind of disappointed. I've been a loyal Avast user for several years, I've turned my dad and an aunt into paying users and intended to recommend a business associate I consult for to use the Business edition, but this event has given me pause.

Help, please?

[Pondus]

Fact of life, no security program have 100% detection. about 50 000 new malware code is found every day so to detect it all is mission impossible

Send the file(s) to   virus @ avast . com    in a password protected zip.file
password: infected
subject: undetected sample


also upload the file(s) to www.virustotal.com and test with 43 malware scanners
when you have the result, copy the URL in the address bar and post it here for us to see


also check your messages, see top right corner "MY MESSAGES"

[shinkaide]

I've sent the file using the above instructions to Avast.

As for the two URLS from Virustotal.com, here they are:

1) For ApplicationForm.exe
2) For JobDescription.exe

Nothing detected for (1), and only Sophos got a hit for (2) out of all of 'em.

[polonus]

Not much we can say,

0 detections, similarity between the executables:
Same imports: [[ 1 import(s) ]]
mscoree.dll: _CorExeMain  ( (You must have had Net Framework installed for this ...

You could have more versions of the .NET Framework, to establish which look at the subkeys under this registry key:
KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\policy.)

But it could be a bot/trojan infection, and my best guess is http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm:Win32/Prolaco.gen!B
aka Win32 Fruspam/worm

http://community.ca.com/blogs/securityadvisor/archive/tags/Worm_3A00_Win32_2F00_Prolaco.gen_2100_B/default.aspx

There is a new Win32/Fruspam worm variant on the loose, and judging from a couple of the subject lines, Fruspam thinks you need a new job

The second infection is Mal/MSIL-A
Manual removal instructionsMal/MSIL-A Manual Removal Instructions
Backup Reminder: Always be sure to back up your PC before making any changes.

Step 1 : Use Windows Task Manager to Remove Mal/MSIL-A Processes

Remove the "Mal/MSIL-A" processes files:
%AppData%\recyclerr\recyclerr.exe
Step 2 : Use Registry Editor to Remove Mal/MSIL-A Registry Values

Locate and delete "Mal/MSIL-A" registry entries:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
Step 3 : Detect and Delete Other Mal/MSIL-A Files

Remove the "Mal/MSIL-A" processes files:
%AppData%\recyclerr\recyclerr.exe

Step 4
Delete the IE temp files,some Mal/MSIL-AV temp file may exist there.

This is if you know how to do this, but better is to wait for essexboy here,
he might suggest a malware cleansing routine, probably MBAM etc. will do the job,
so wait for his instructions,

polonus

[shinkaide]

Unfortunately, I've run MBAM on the files, and it marked them as clean as well.  

[Pondus]

Unfortunately, I've run MBAM on the files, and it marked them as clean as well. 

'
You did update Malwarebytes before you run it?....many forget to do that


OK just tested with malwarebytes and both files are not deteted

[Pondus]

Malwarebytes analysis say both files are spyware 
so then i guess they will soon be detected by MBAM

[essexboy]

If you wish I can look at the windows systems

[Pondus]

Files are now detected by Malwarebytes and can be removed with it

jobdescription.exe - Spyware.Password
applicationform.exe - Spyware.Password

[shinkaide]

Files are now detected by Malwarebytes and can be removed with it

jobdescription.exe - Spyware.Password
applicationform.exe - Spyware.Password

Indeed it has been! I've gotten the most recent updates for MBAM, and they've done quite the job on these little buggers. Now the only thing I have to facilitate is for someone to help me mum out on the other side of the world and clean out that infected computer of hers using MBAM.

Thanks a lot, everyone! 

[Pondus]

Avira analysis

26055186    ApplicationForm.exe    603.5 KB    MALWARE
26055187    JobDescription.exe    137.5 KB    MALWARE

The file 'ApplicationForm.exe' has been determined to be 'MALWARE'. Our analysts named the threat TR/Spy.Remopid.B. The term "TR/" denotes a trojan horse that is able to spy out data, to violate your privacy or carry out unwanted modifications to the system.Detection will be added to our virus definition file (VDF) with one of the next updates.

The file 'JobDescription.exe' has been determined to be 'MALWARE'. Our analysts named the threat TR/Spy.Remopid.A. The term "TR/" denotes a trojan horse that is able to spy out data, to violate your privacy or carry out unwanted modifications to the system.Detection will be added to our virus definition file (VDF) with one of the next updates.

[Pondus]

Norman analysis

Your assumption of Suspecting these Files malicious is right.
The Files are .net complied used for hooking ie capturing Key stokes and stealing Bank information.
The Working of these two Files is attached in Screen shots.

ApplicationForm.exe : Processed - MSIL/Injector.O
JobDescription.exe : Processed - MSIL/Agent.AB