Author Topic: New Virus? *W32/Trojan2.NPIT* & Batch Risk  (Read 6593 times)

0 Members and 1 Guest are viewing this topic.

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
New Virus? *W32/Trojan2.NPIT* & Batch Risk
« on: November 13, 2011, 01:48:19 AM »
I admit that I did something stupid. At least I stopped it before it started. (Thanks Safe Mode)
BTW, now you know about these kinds of viruses. ;D

Before I opened it, I scanned the installer on VT, and it came up with 3/42. Thinking those 3 were FP, as none of the MAJOR antiviruses detected it, I installed it. No registry stuff added, just some new files.

The Installer:
http://www.virustotal.com/file-scan/report.html?id=c60b4440d6a33b7814891635514cb42f19ca9aa4ea9f55fdd024e19c6857c7ae-1321141931

I saw the application called SRB2Winner, thinking that this was the main application and opened it. My cursor flashed many times, and then my computer started shutting down. I holded down the power button before it fully shutted down.

SRB2Winner:
http://www.virustotal.com/file-scan/report.html?id=f27b87a3402030ff2281a49ac89c4ce6a14fb2e17a2f321518b8b57e45b157aa-1321143431

Rebooted in Safe Mode, nothing out of the ordinary, no new processes running on startup, but just to make sure, I deleted the files from the saved directory, the temp files, and the recycling bin, then rebooted in normal mode.

Based on how the SRB2Winner program looked, it was changed from Batch to Executable using BatToExe Converter.

I never clicked the program that said "Click Here" as that was too suspicious.

Click Here.exe:
http://www.virustotal.com/file-scan/report.html?id=ba8979c5505607a0a197de8b86fe38d5f0b2805f617408409ba12e698bb365ae-1321143809

I forgot the email address to send infected files to, so a reminder would be appreciated.

BTW, has it been that long since I last posted??
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37527
  • Not a avast user
Re: New Virus? *W32/Trojan2.NPIT* & Batch Risk
« Reply #1 on: November 13, 2011, 02:03:50 AM »
Quote
I forgot the email address to send infected files to, so a reminder would be appreciated.
upload to  virus @ avast.com in a password protected zip.file
zip password:  infected
mail subject:  undetected sample(s)

it is recomended to use a zip program that also encrypt like win.rar or 7zip
Gmail (and maybe otheres) will block sending password protected zip files if it can see that it contain a .exe file



you can also send from virus chest  

Moving files to the Virus Chest
http://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=501#idt_03

Submitting files from the Virus Chest to avast! Virus Lab
http://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=501#idt_07

« Last Edit: November 13, 2011, 02:17:04 AM by Pondus »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37527
  • Not a avast user
Re: New Virus? *W32/Trojan2.NPIT* & Batch Risk
« Reply #2 on: November 13, 2011, 02:09:24 AM »
also if you want to test files and see what they do...before you install   ;)

Norman sandbox   http://www.norman.com/security_center/security_tools/en-us
Comodo sandbox   http://camas.comodo.com/
ThreatExpert     http://www.threatexpert.com/submit.aspx




Quote
BTW, has it been that long since I last posted??
12 may. 2011   ;D
« Last Edit: November 13, 2011, 02:14:07 AM by Pondus »

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Re: New Virus? *W32/Trojan2.NPIT* & Batch Risk
« Reply #3 on: November 13, 2011, 02:30:25 AM »
Had to use my secondary Yahoo account, which was 'erased' because I wasn't on Yahoo for over 4 months.

Used 7z Command Line Edition to encrypt.

I'll test the files tommorrow, tired.
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Re: New Virus? *W32/Trojan2.NPIT* & Batch Risk
« Reply #4 on: November 13, 2011, 04:11:17 PM »
Click Here.exe:
http://camas.comodo.com/cgi-bin/submit?file=ba8979c5505607a0a197de8b86fe38d5f0b2805f617408409ba12e698bb365ae

Click Here.exe : Not detected by Sandbox (Signature: NO_VIRUS)


 [ DetectionInfo ]
    * Filename: C:\analyzer\scan\Click Here.exe.

    * Sandbox name: NO_MALWARE
    * Signature name: NO_VIRUS.
    * Compressed: YES.
    * TLS hooks: NO.
    * Executable type: Application.
    * Executable file structure: OK.
    * Filetype: PE_I386.

 [ General information ]

    * File length:       175104 bytes.
    * MD5 hash: fb7b801233b96f321bee5c2a517104f0.
    * SHA1 hash: 4f14157e3932d46e3d9e7789b63cbbac619a40a4.

 [ Changes to filesystem ]
    * Creates file C:\WINDOWS\TEMP\6298.tmp.
    * Deletes file C:\WINDOWS\TEMP\6298.tmp.
    * Creates directory C:\WINDOWS\TEMP\6298.tmp.
    * Creates file C:\WINDOWS\TEMP\6298.tmp\Click Here.bat.
    * Deletes file C:\WINDOWS\TEMP\6298.tmp\Click Here.bat.

 [ Signature Scanning ]
    * C:\WINDOWS\TEMP\6298.tmp\Click Here.bat (105 bytes) : no signature detection.


The Installer:
http://camas.comodo.com/cgi-bin/submit?file=c60b4440d6a33b7814891635514cb42f19ca9aa4ea9f55fdd024e19c6857c7ae

 [ DetectionInfo ]
    * Filename: C:\analyzer\scan\Sonic R. Blast 2 Hacks.exe.
    * Sandbox name: NO_MALWARE
    * Signature name: NO_VIRUS.
    * Compressed: NO.
    * TLS hooks: NO.
    * Executable type: Application.
    * Executable file structure: OK.
    * Filetype: PE_I386.

 [ General information ]
    * File length:       133900 bytes.
    * MD5 hash: 99512b3ba2df3012c15ab1c3f22eb5ce.
    * SHA1 hash: 067eb81f14b5626d5b62c07c62360225b5ff65be.

 [ Process/window information ]
    * Creates a window with caption WinRAR self-extracting archive and classname #32770.
    * Creates dialog control (static) with id 108 and caption .
    * Creates dialog control (static) with id 101 and caption &Destination folder.
    * Creates dialog control (combobox) with id 102 and caption .
    * Creates dialog control (button) with id 103 and caption Bro&wse....
    * Creates a window with caption (null) and classname RarHtmlClassName.


SRB2Winner.exe:
Comodo couldn't complete the process on this one.

 [ DetectionInfo ]
    * Filename: C:\analyzer\scan\Srb2Winner.exe.

    * Sandbox name: NO_MALWARE
    * Signature name: NO_VIRUS.

    * Compressed: YES.

    * TLS hooks: NO.
    * Executable type: Application.
    * Executable file structure: OK.
    * Filetype: PE_I386.

 [ General information ]

    * File length:        25600 bytes.
    * MD5 hash: e12b3592c4b52d5bb7dc716a83a6a24d.
    * SHA1 hash: b7334297c7cf2780b14f828eb0084db693f6b709.

 [ Changes to filesystem ]
    * Creates file C:\WINDOWS\TEMP\4312.tmp.
    * Deletes file C:\WINDOWS\TEMP\4312.tmp.
    * Creates directory C:\WINDOWS\TEMP\4312.tmp.
    * Creates file C:\WINDOWS\TEMP\4312.tmp\Hackingcode24.bat.
    * Deletes file C:\WINDOWS\TEMP\4312.tmp\Hackingcode24.bat.

 [ Signature Scanning ]
    * C:\WINDOWS\TEMP\4312.tmp\Hackingcode24.bat (124 bytes) : no signature detection.

Awating ThreatExpert's Report.

I am SO glad that I ran SRB2Winner on a limited account. :)

Quote
Quote
BTW, has it been that long since I last posted??
12 may. 2011   ;D

 :o
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
« Last Edit: November 13, 2011, 05:03:17 PM by Donovansrb10 »
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 89033
  • No support PMs thanks
Re: New Virus? *W32/Trojan2.NPIT* & Batch Risk
« Reply #6 on: November 13, 2011, 04:56:03 PM »
It must surely be easier and better just to post the link to the results. For those interested they can visit and save a bunch of scrolling and they could probably read the text not the images.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Re: New Virus? *W32/Trojan2.NPIT* & Batch Risk
« Reply #7 on: November 13, 2011, 05:01:13 PM »
They sent me a zip file containing the results in mhtml format.
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 89033
  • No support PMs thanks
Re: New Virus? *W32/Trojan2.NPIT* & Batch Risk
« Reply #8 on: November 13, 2011, 05:05:55 PM »
Sneaky, I guess they don't want it widely available and mhtml format also needs IE to view it if I remember rightly.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37527
  • Not a avast user
Re: New Virus? *W32/Trojan2.NPIT* & Batch Risk
« Reply #9 on: November 13, 2011, 05:48:39 PM »
They sent me a zip file containing the results in mhtml format.
There is no problem posting links to ThreatExpert reports...i do it often.....the link is in the mail

and in your case(s) it will be this

Click Here.exe:   http://www.threatexpert.com/report.aspx?md5=fb7b801233b96f321bee5c2a517104f0

The Installer:   http://www.threatexpert.com/report.aspx?md5=99512b3ba2df3012c15ab1c3f22eb5ce

SRB2Winner.exe:   http://www.threatexpert.com/report.aspx?md5=e12b3592c4b52d5bb7dc716a83a6a24d


« Last Edit: November 13, 2011, 08:08:53 PM by Pondus »