New Trojan Detected:Comprovante.exe. But Not By Avast! [SOLVED]

[Jack 1000]

Dear Avast,

This is a report that virustotal.com has detected the Comprovante.exe Trojan at the following webpage:

hxxp://www.statelinefastpitch.com.

Here is the report:

http://www.virustotal.com/file-scan/report.html?id=bc8b9da1cec4dd77cfb4136698b0c06be7dfb06c75bb5963f90d75c4e531c0c3-1302200911

If the above link does not work, here are the Virus Total scan results for this malware:

File name: Comprovante.exe
Submission date: 2011-04-07 18:28:31 (UTC)
Current status: finished
Result: 13 /40 (32.5%)
 VT Community

malware
 Safety score: 0.0%  
Compact Print results Antivirus Version Last Update Result

AhnLab-V3 2011.04.08.00 2011.04.07 -
AntiVir 7.11.6.4 2011.04.07 TR/Spy.Banker.LW.85
Antiy-AVL 2.0.3.7 2011.04.06 -
Avast 4.8.1351.0 2011.04.07 -
Avast5 5.0.677.0 2011.04.01 -
AVG 10.0.0.1190 2011.04.07 PSW.Generic8.BKFK
BitDefender 7.2 2011.04.07 Dropped:Trojan.Generic.5781220
CAT-QuickHeal 11.00 2011.04.07 -
ClamAV 0.97.0.0 2011.04.07 -
Commtouch 5.2.11.5 2011.04.06 -
Comodo 8256 2011.04.07 -
DrWeb 5.0.2.03300 2011.04.07 -
eSafe 7.0.17.0 2011.04.04 -
eTrust-Vet 36.1.8258 2011.04.07 -
F-Prot 4.6.2.117 2011.04.07 -
F-Secure 9.0.16440.0 2011.04.07 -
Fortinet 4.2.254.0 2011.04.07 -
GData 22 2011.04.07 -
Ikarus T3.1.1.103.0 2011.04.07 Trojan-Spy.Win32.Banker
Jiangmin 13.0.900 2011.04.07 -
K7AntiVirus 9.96.4320 2011.04.07 -
McAfee 5.400.0.1158 2011.04.07 Generic PWS.y!dab
McAfee-GW-Edition 2010.1C 2011.04.07 Generic PWS.y!dab
Microsoft 1.6702 2011.04.07 TrojanSpy:Win32/Banker.LW
NOD32 6023 2011.04.07 probably a variant of Win32/Spy.Delf.OJR
Norman 6.07.07 2011.04.07 -
Panda 10.0.3.5 2011.04.07 -
PCTools 7.0.3.5 2011.04.07 -
Prevx 3.0 2011.04.07 -
Rising 23.52.03.06 2011.04.07 -
Sophos 4.64.0 2011.04.07 -
SUPERAntiSpyware 4.40.0.1006 2011.04.06 Trojan.Agent/Gen-Banload
Symantec 20101.3.2.89 2011.04.07 -
TheHacker 6.7.0.1.168 2011.04.07 -
TrendMicro 9.200.0.1012 2011.04.07 TSPY_BANKER.SMAW
TrendMicro-HouseCall 9.200.0.1012 2011.04.07 TSPY_BANKER.SMAW
VBA32 3.12.14.3 2011.04.07 TrojanDownloader.Banload.bblx
VIPRE 8949 2011.04.07 Trojan.Win32.Generic!BT
ViRobot 2011.4.7.4398 2011.04.07 -
VirusBuster 13.6.293.1 2011.04.07 -

***********************************************************
Additional informationShow all  
MD5   : de6963a89ac914772e9badebc9519943
SHA1  : 3d0d2d27c9abca39491556b579072fcb09c7be8f
SHA256: bc8b9da1cec4dd77cfb4136698b0c06be7dfb06c75bb5963f90d75c4e531c0c3
ssdeep: 6144:mu2urzh9xu/Xkau/8V0RD1qdpMHQz3E399wls58FloyCr1tz5nnKG+:mutrzh9xOXkUV0V
QEtSlrXCzz5nc
File size : 300689 bytes
First seen: 2011-04-06 17:59:52
Last seen : 2011-04-07 18:28:31
Magic: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
TrID:
Win64 Executable Generic (59.6%)
Win32 Executable MS Visual C++ (generic) (26.2%)
Win32 Executable Generic (5.9%)
Win32 Dynamic Link Library (generic) (5.2%)
Generic Win/DOS Executable (1.3%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
 
PEiD: -
packers (F-Prot): RAR
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0xA7B1
timedatestamp....: 0x4B9DD366 (Mon Mar 15 06:27:50 2010)
machinetype......: 0x14C (Intel I386)

[[ 5 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x1076E, 0x10800, 6.58, 8e6577c8c479f3e85e7fa573af92977e
.rdata, 0x12000, 0x1865, 0x1A00, 5.33, 4ec1c384a6c5f398ea7ca4031012f2d6
.data, 0x14000, 0xBFF4, 0x200, 3.55, 0ebca16960628061dcf3807fd384d9e9
.CRT, 0x20000, 0x10, 0x200, 0.21, a74a099866bd9750c2aa37309234732b
.rsrc, 0x21000, 0x3E60, 0x4000, 5.23, 8aabefb1e4cfa5dd14c4d7fe514d0403

[[ 9 import(s) ]]
advapi32.dll: LookupPrivilegeValueA, RegOpenKeyExA, RegQueryValueExA, RegCreateKeyExA, RegSetValueExA, RegCloseKey, SetFileSecurityW, SetFileSecurityA, OpenProcessToken, AdjustTokenPrivileges
comctl32.dll: -
comdlg32.dll: GetSaveFileNameA, CommDlgExtendedError, GetOpenFileNameA
gdi32.dll: GetDeviceCaps, GetObjectA, CreateCompatibleBitmap, SelectObject, StretchBlt, CreateCompatibleDC, DeleteObject, DeleteDC
kernel32.dll: DeleteFileA, DeleteFileW, CreateDirectoryA, CreateDirectoryW, FindClose, FindNextFileA, FindFirstFileA, FindNextFileW, FindFirstFileW, GetTickCount, WideCharToMultiByte, MultiByteToWideChar, GetVersionExA, GlobalAlloc, lstrlenA, GetModuleFileNameA, FindResourceA, GetModuleHandleA, HeapAlloc, GetProcessHeap, HeapFree, HeapReAlloc, CompareStringA, ExitProcess, GetLocaleInfoA, GetNumberFormatA, lstrcmpiA, GetProcAddress, GetDateFormatA, GetTimeFormatA, FileTimeToSystemTime, FileTimeToLocalFileTime, ExpandEnvironmentStringsA, WaitForSingleObject, SetCurrentDirectoryA, Sleep, GetTempPathA, MoveFileExA, UnmapViewOfFile, GetCommandLineA, MapViewOfFile, CreateFileMappingA, GetModuleFileNameW, SetEnvironmentVariableA, OpenFileMappingA, LocalFileTimeToFileTime, SystemTimeToFileTime, GetSystemTime, IsDBCSLeadByte, GetCPInfo, FreeLibrary, LoadLibraryA, GetCurrentDirectoryA, GetFullPathNameA, SetFileAttributesW, SetFileAttributesA, GetFileAttributesW, GetFileAttributesA, WriteFile, SetLastError, GetStdHandle, ReadFile, CreateFileW, CreateFileA, GetFileType, SetEndOfFile, SetFilePointer, MoveFileA, SetFileTime, GetCurrentProcess, CloseHandle, GetLastError, DosDateTimeToFileTime
ole32.dll: CreateStreamOnHGlobal, OleInitialize, CoCreateInstance, OleUninitialize, CLSIDFromString
oleaut32.dll: -
shell32.dll: ShellExecuteExA, SHFileOperationA, SHGetFileInfoA, SHGetSpecialFolderLocation, SHGetMalloc, SHBrowseForFolderA, SHGetPathFromIDListA, SHChangeNotify
user32.dll: ReleaseDC, GetDC, SendMessageA, wsprintfA, SetDlgItemTextA, EndDialog, DestroyIcon, SendDlgItemMessageA, GetDlgItemTextA, DialogBoxParamA, IsWindowVisible, WaitForInputIdle, GetSysColor, PostMessageA, SetMenu, SetFocus, LoadBitmapA, LoadIconA, CharToOemA, OemToCharA, GetClassNameA, CharUpperA, GetWindowRect, GetParent, MapWindowPoints, CreateWindowExA, UpdateWindow, SetWindowTextA, LoadCursorA, RegisterClassExA, SetWindowLongA, GetWindowLongA, DefWindowProcA, PeekMessageA, GetMessageA, TranslateMessage, DispatchMessageA, GetClientRect, CopyRect, IsWindow, MessageBoxA, ShowWindow, GetDlgItem, EnableWindow, FindWindowExA, wvsprintfA, CharToOemBuffA, LoadStringA, SetWindowPos, GetWindowTextA, GetWindow, GetSystemMetrics, OemToCharBuffA, DestroyWindow
 
ExifTool:
file metadata
CodeSize: 67584
EntryPoint: 0xa7b1
FileSize: 294 kB
FileType: Win32 EXE
ImageVersion: 0.0
InitializedDataSize: 24064
LinkerVersion: 9.0
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 5.0
PEType: PE32
Subsystem: Windows GUI
SubsystemVersion: 4.0
TimeStamp: 2010:03:15 07:27:50+01:00
UninitializedDataSize: 0
 
Symantec reputation:Suspicious.Insight


VT Community

2
 User:Letti.net.br

Reputation:534 credits

Comment date:2011-04-06 18:01:30 (UTC)
hxxp://www.statelinefastpitch.com/templates/system/css/comprovante.php
Tags: Malware, banker, tspy_banker, banload

Jack

[Pondus]

Sample is sendt avast   

[Jack 1000]

Sample is sendt avast   

Thanks!

Jack

[Jack 1000]

Sample is sendt avast  

Thanks!

Jack

Hummm. Still no detection by Avast according to URL Void.  Note that I could not use Virus Total, because of heavy workload.

http://vscan.urlvoid.com/analysis/8d0ec0bb408cb5fba4083b91968243f4/c3RhdGVsaW5lZmFzdHBpdGNoLWNvbQ==/

Jack

PS.  However, URLVoid.com does show a danger is still here:

Report 2011-04-08 21:23:57 (GMT 1)
Website statelinefastpitch.com 
Domain Hash 77e9034067a534ec1adef4dba3bc6f6f
IP Address 173.236.39.210 [SCAN] 
IP Hostname server.programpartnerhosting.com
IP Country -- (--)
AS Number 32475
AS Name SINGLEHOP-INC - SingleHop
Detections 4 / 22 (18 %)
Status DANGEROUS

   
Scanning site with: AMaDa   CLEAN
Scanning site with: BrowserDefender   UNRATED
Scanning site with: DNS-BH   CLEAN
Scanning site with: DShield SDL   CLEAN
Scanning site with: Google Diagnostic   CLEAN
Scanning site with: hpHosts   UNRATED
Scanning site with: joewein.de LLC   CLEAN
Scanning site with: Malware Domain List   CLEAN
Scanning site with: Malware Patrol   CLEAN
Scanning site with: MyWOT   DETECTED
Scanning site with: Norton SafeWeb   UNRATED
Scanning site with: ParetoLogic URL Clearing House   DETECTED
Scanning site with: PhishTank   CLEAN
Scanning site with: SCUMWARE   CLEAN
Scanning site with: SpamhausDBL   CLEAN
Scanning site with: SURBL   CLEAN
Scanning site with: Threat Log   CLEAN
Scanning site with: TrendMicro Web Reputation   CLEAN
Scanning site with: URIBL   DETECTED
Scanning site with: VSCAN   DETECTED
Scanning site with: Web Security Guard   UNRATED
Scanning site with: ZeuS Tracker   CLEAN

[polonus]

Being discussed all around: http://www.mywot.com/en/forum/11036-virus
Avast flagged it properly here in 2009: http://virusscan.jotti.org/en/scanresult/7591600e1d926034147baff148bfa66afc0c9d9b
as Win32:Spyware-gen, so must be a new variant of the same Banload malware...
See: http://www.virustotal.com/file-scan/report.html?id=bc8b9da1cec4dd77cfb4136698b0c06be7dfb06c75bb5963f90d75c4e531c0c3-1302200911
jsunpack scanned: htxp://jsunpack.jeek.org/dec/go?report=39341b7e26c87b905e57061a5120ba2d7d032959
(only for the security aware, go there sandboxed and with ample script ptotection)
See: http://wepawet.iseclab.org/view.php?hash=852655f55924ff57f6ef719c1e0d2022&t=1302346013&type=js
Anubis report: http://anubis.iseclab.org/?action=result&task_id=181d66208cb309ce411a894330ca76baa

polonus

[Jack 1000]

Being discussed all around: http://www.mywot.com/en/forum/11036-virus
Avast flagged it properly here in 2009: http://virusscan.jotti.org/en/scanresult/7591600e1d926034147baff148bfa66afc0c9d9b
as Win32:Spyware-gen, so must be a new variant of the same Banload malware...
See: http://www.virustotal.com/file-scan/report.html?id=bc8b9da1cec4dd77cfb4136698b0c06be7dfb06c75bb5963f90d75c4e531c0c3-1302200911
jsunpack scanned: http://jsunpack.jeek.org/dec/go?report=39341b7e26c87b905e57061a5120ba2d7d032959
(only for the security aware, go there sandboxed and with ample script ptotection)
See: http://wepawet.iseclab.org/view.php?hash=852655f55924ff57f6ef719c1e0d2022&t=1302346013&type=js
Anubis report: http://anubis.iseclab.org/?action=result&task_id=181d66208cb309ce411a894330ca76baa

polonus

Thanks Polonus!

Maybe it might just be taking Avast longer to write a definition for the threat.  That info shows they certainly know about it.

Jack

[polonus]

Avast has detection now as Win32:Spyware-gen, see:
http://www.virustotal.com/file-scan/report.html?id=bc8b9da1cec4dd77cfb4136698b0c06be7dfb06c75bb5963f90d75c4e531c0c3-1302276204
Jack 1000 You can put [SOLVED] to your initial posting, just like I did here, to mark avast now detects,
and our users are now being protected,

polonus

[polonus]

Hi Jack 1000,

Thanks, every time I see that [SOLVED] appear, it gives me a good proud feeling. So, thanks for reporting this malware and helping towards an even better avast detection. Re-scanning of virustotal results and follow up of new malware coming in via the known malware resource sites, and above all reporting these findings via "virus ATavast dot com" will greatly help towards this goal,

polonus