New Virus? *W32/Trojan2.NPIT* & Batch Risk

[!Donovan]

I admit that I did something stupid. At least I stopped it before it started. (Thanks Safe Mode)
BTW, now you know about these kinds of viruses.

Before I opened it, I scanned the installer on VT, and it came up with 3/42. Thinking those 3 were FP, as none of the MAJOR antiviruses detected it, I installed it. No registry stuff added, just some new files.

The Installer:
http://www.virustotal.com/file-scan/report.html?id=c60b4440d6a33b7814891635514cb42f19ca9aa4ea9f55fdd024e19c6857c7ae-1321141931

I saw the application called SRB2Winner, thinking that this was the main application and opened it. My cursor flashed many times, and then my computer started shutting down. I holded down the power button before it fully shutted down.

SRB2Winner:
http://www.virustotal.com/file-scan/report.html?id=f27b87a3402030ff2281a49ac89c4ce6a14fb2e17a2f321518b8b57e45b157aa-1321143431

Rebooted in Safe Mode, nothing out of the ordinary, no new processes running on startup, but just to make sure, I deleted the files from the saved directory, the temp files, and the recycling bin, then rebooted in normal mode.

Based on how the SRB2Winner program looked, it was changed from Batch to Executable using BatToExe Converter.

I never clicked the program that said "Click Here" as that was too suspicious.

Click Here.exe:
http://www.virustotal.com/file-scan/report.html?id=ba8979c5505607a0a197de8b86fe38d5f0b2805f617408409ba12e698bb365ae-1321143809

I forgot the email address to send infected files to, so a reminder would be appreciated.

BTW, has it been that long since I last posted??

[Pondus]

I forgot the email address to send infected files to, so a reminder would be appreciated.

upload to  virus @ avast.com in a password protected zip.file
zip password:  infected
mail subject:  undetected sample(s)

it is recomended to use a zip program that also encrypt like win.rar or 7zip
Gmail (and maybe otheres) will block sending password protected zip files if it can see that it contain a .exe file



you can also send from virus chest  

Moving files to the Virus Chest
http://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=501#idt_03

Submitting files from the Virus Chest to avast! Virus Lab
http://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=501#idt_07

[Pondus]

also if you want to test files and see what they do...before you install  

Norman sandbox   http://www.norman.com/security_center/security_tools/en-us
Comodo sandbox   http://camas.comodo.com/
ThreatExpert     http://www.threatexpert.com/submit.aspx

BTW, has it been that long since I last posted??

12 may. 2011  

[!Donovan]

Had to use my secondary Yahoo account, which was 'erased' because I wasn't on Yahoo for over 4 months.

Used 7z Command Line Edition to encrypt.

I'll test the files tommorrow, tired.

[!Donovan]

Click Here.exe:
http://camas.comodo.com/cgi-bin/submit?file=ba8979c5505607a0a197de8b86fe38d5f0b2805f617408409ba12e698bb365ae

Click Here.exe : Not detected by Sandbox (Signature: NO_VIRUS)


 [ DetectionInfo ]
    * Filename: C:\analyzer\scan\Click Here.exe.

    * Sandbox name: NO_MALWARE
    * Signature name: NO_VIRUS.
    * Compressed: YES.
    * TLS hooks: NO.
    * Executable type: Application.
    * Executable file structure: OK.
    * Filetype: PE_I386.

 [ General information ]

    * File length:       175104 bytes.
    * MD5 hash: fb7b801233b96f321bee5c2a517104f0.
    * SHA1 hash: 4f14157e3932d46e3d9e7789b63cbbac619a40a4.

 [ Changes to filesystem ]
    * Creates file C:\WINDOWS\TEMP\6298.tmp.
    * Deletes file C:\WINDOWS\TEMP\6298.tmp.
    * Creates directory C:\WINDOWS\TEMP\6298.tmp.
    * Creates file C:\WINDOWS\TEMP\6298.tmp\Click Here.bat.
    * Deletes file C:\WINDOWS\TEMP\6298.tmp\Click Here.bat.

 [ Signature Scanning ]
    * C:\WINDOWS\TEMP\6298.tmp\Click Here.bat (105 bytes) : no signature detection.


The Installer:
http://camas.comodo.com/cgi-bin/submit?file=c60b4440d6a33b7814891635514cb42f19ca9aa4ea9f55fdd024e19c6857c7ae

 [ DetectionInfo ]
    * Filename: C:\analyzer\scan\Sonic R. Blast 2 Hacks.exe.
    * Sandbox name: NO_MALWARE
    * Signature name: NO_VIRUS.
    * Compressed: NO.
    * TLS hooks: NO.
    * Executable type: Application.
    * Executable file structure: OK.
    * Filetype: PE_I386.

 [ General information ]
    * File length:       133900 bytes.
    * MD5 hash: 99512b3ba2df3012c15ab1c3f22eb5ce.
    * SHA1 hash: 067eb81f14b5626d5b62c07c62360225b5ff65be.

 [ Process/window information ]
    * Creates a window with caption WinRAR self-extracting archive and classname #32770.
    * Creates dialog control (static) with id 108 and caption .
    * Creates dialog control (static) with id 101 and caption &Destination folder.
    * Creates dialog control (combobox) with id 102 and caption .
    * Creates dialog control (button) with id 103 and caption Bro&wse....
    * Creates a window with caption (null) and classname RarHtmlClassName.


SRB2Winner.exe:
Comodo couldn't complete the process on this one.

 [ DetectionInfo ]
    * Filename: C:\analyzer\scan\Srb2Winner.exe.

    * Sandbox name: NO_MALWARE
    * Signature name: NO_VIRUS.

    * Compressed: YES.

    * TLS hooks: NO.
    * Executable type: Application.
    * Executable file structure: OK.
    * Filetype: PE_I386.

 [ General information ]

    * File length:        25600 bytes.
    * MD5 hash: e12b3592c4b52d5bb7dc716a83a6a24d.
    * SHA1 hash: b7334297c7cf2780b14f828eb0084db693f6b709.

 [ Changes to filesystem ]
    * Creates file C:\WINDOWS\TEMP\4312.tmp.
    * Deletes file C:\WINDOWS\TEMP\4312.tmp.
    * Creates directory C:\WINDOWS\TEMP\4312.tmp.
    * Creates file C:\WINDOWS\TEMP\4312.tmp\Hackingcode24.bat.
    * Deletes file C:\WINDOWS\TEMP\4312.tmp\Hackingcode24.bat.

 [ Signature Scanning ]
    * C:\WINDOWS\TEMP\4312.tmp\Hackingcode24.bat (124 bytes) : no signature detection.

Awating ThreatExpert's Report.

I am SO glad that I ran SRB2Winner on a limited account.

BTW, has it been that long since I last posted??

12 may. 2011   

 

[!Donovan]

I got the results from ThreatExpert, pictures below:
SRB2 Winner.exe:
http://i795.photobucket.com/albums/yy238/Donovansrb10/SRB2WinnerReport.png

Click Here.exe:
http://i795.photobucket.com/albums/yy238/Donovansrb10/ClickHereReport.png

The Installer:
http://i795.photobucket.com/albums/yy238/Donovansrb10/InstallerReport.png

[DavidR]

It must surely be easier and better just to post the link to the results. For those interested they can visit and save a bunch of scrolling and they could probably read the text not the images.

[!Donovan]

They sent me a zip file containing the results in mhtml format.

[DavidR]

Sneaky, I guess they don't want it widely available and mhtml format also needs IE to view it if I remember rightly.

[Pondus]

They sent me a zip file containing the results in mhtml format.

There is no problem posting links to ThreatExpert reports...i do it often.....the link is in the mail

and in your case(s) it will be this

Click Here.exe:   http://www.threatexpert.com/report.aspx?md5=fb7b801233b96f321bee5c2a517104f0

The Installer:   http://www.threatexpert.com/report.aspx?md5=99512b3ba2df3012c15ab1c3f22eb5ce

SRB2Winner.exe:   http://www.threatexpert.com/report.aspx?md5=e12b3592c4b52d5bb7dc716a83a6a24d