avast does not detect this generic trojan downloader..[SOLVED]

[polonus]

Where does this malware reside: 2011-03-23 16:34:29   htxp://hostzmail.webcindario.com/blog.php/favicon.ico   0BED6881017BAB194A1062A8484345A4   89.x17.x220.x221   ES   TRCrypt.CFI.Gen also known as
HTTP Suspicious Executable Image Download
virustotal scan: http://www.virustotal.com/url-scan/report.html?id=02516337d8bab230aab030db570591ae-1300894951
virustotal filescan: http://www.virustotal.com/file-scan/report.html?id=310dbad56dc04f95757c7ae4aaec6d188f33c3e546f5041f2a22598586a35259-1300898797
found to be suspicious here: http://wepawet.iseclab.org/view.php?hash=02516337d8bab230aab030db570591ae&t=1300899041&type=js
accompanying Anubis report: http://anubis.iseclab.org/?action=result&task_id=18c500c505f8821b49d0c0af58bdc88ec
see attached screendump

polonus

[spg SCOTT]

Seems the ".ico" file downloads a .com file...not good. Would be nice to get this detected.

[polonus]

Hi spgSCOTT,

Yes, zlob also arrived that way (ico) in the past. Good thing to check on your files before you download submitting the download url for instance to virustotal, and then scan the file accordingly there, or scan the download URL here http://vscan.urlvoid.com/
Good next thing when slightly in doubt is to open up the download inside the avast sandbox, so watch your clicks,

polonus

[polonus]

Here is another one, not detected by avast from here: htxp://onj2me.info/register/dl/1457/FlashPlayer.jar
See: http://www.virustotal.com/file-scan/report.html?id=7a8c884e3942f0aceb02fad13934eb44e9d10eb7b1654fc20be4e229f72355b0-1300966118
Found to be benign here: http://wepawet.iseclab.org/view.php?hash=42e00e8d7d8082d5fdcd0324b7739be0&t=1300972394&type=js
Threats found thrice:

Trojan.Gen
Location:    htxp://onj2me.info/register/up2/460/maksim.jar
No longer found to reside there....No file was found at that url.... corrected still there, see following post from pondus

Location:    htxp://onj2me.info/low/wall/1334/PornoTetris.jar Avast finds as Java:Agent-CP, see:
http://www.virustotal.com/file-scan/report.html?id=8288553265cda966af6dcca1609a7a2ee3fbdd3c6699541178812ec63c0214eb-1300972767

Location:    htxp://onj2me.info/low/up2/1334/MakSim.jar  Here it is found up by avast as Other:Malware-gen
See: http://www.virustotal.com/file-scan/report.html?id=5961140382bbd7f56b39a8b11d56de7a04f31ac49daa27886aa14333c4d27f60-1300972625

polonus

[Pondus]

Trojan.Gen
Location:    htxp://onj2me.info/register/up2/460/maksim.jar
No longer found to reside there....No file was found at that url....

ooo yes it is still there     same name but different MD5 to the last one you posted

and avast got it
http://www.virustotal.com/file-scan/report.html?id=fe05bf9a8d1d812f0e4bd6bafb731ad175cf8ddc80e6a7021d0bfb3a7996af44-1300978417

[sys-eng]

Norton, Microsoft, McAfee, Eset, AVG, etc. all detect this but Avast is still not detecting it as of 1:30 EDST today.  I searched for about 20 minutes and did not find a way to submit this to Avast lab.  They have a process for submitting false positives from the virus chest but not for submitting missed positives.

I have a customers who will open this e-mail message and probably get infected.

[Pondus]

  I searched for about 20 minutes and did not find a way to submit this to Avast lab. 

send samples in a password protected zip.file to virus @ avast.com
subject: undetetced sample
password: infected

[spg SCOTT]

False Positive OR Potential Malware...from the chest:

EDIT: hang on...screenshot is messed up... There...

[spg SCOTT]

The .com file that comes from Polonus' first post in this thread is now detected by avast, after adding to the chest and sending it

110324-1

[polonus]

OK, we change the topic to "SOLVED"

pol