Author Topic: Avast does not detect Trojan.Dropper/Gen-PHP aka Mal/FakeAV-IS here...  (Read 4112 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Avast does not detect Trojan.Dropper/Gen-PHP aka Mal/FakeAV-IS here...
« Reply #1 on: November 21, 2011, 10:42:09 PM »
Hi forum friends,

The final answer came from here: http://amada.abuse.ch/?search=nanitos99132.co.cc
Verdict Gbot, Trojan Fake-AV
But MD5 hash of the trojan has changed in the mean time: 358e5bf8168f49f29f3849a098da41f2
one of many Malware.Win32.PEx.Delphi variants:
earlier detection: http://threatcenter.crdf.fr/?More&ID=53128&D=CRDF.Malware.Win32.PEx.Delphi.9216665173

polonus
« Last Edit: November 21, 2011, 10:51:05 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!


REDACTED

  • Guest
Re: Avast does not detect Trojan.Dropper/Gen-PHP aka Mal/FakeAV-IS here...
« Reply #3 on: November 21, 2011, 10:55:45 PM »
Hi forum friends,

See: http://www.virustotal.com/url-scan/report.html?id=27c11b5c1e39686d113239ed2495796e-1321904977
and: http://www.virustotal.com/file-scan/report.html?id=a7ccffe77c53722796d29e29b1d5b78576f57d385b656b0b62eafcc3a68f311a-1321908585
Anubis analysis: http://anubis.iseclab.org/?action=result&task_id=166d29bce3097efd4b991885708dc3
This is TR/Cycbot.OS.1 -http://nanitos99132.co.cc/w.php?f=155&e=5 packed by FLY-CODE
Is this a generic detection of the packer used or malcoded about.exe?
Here nothing is being detected: http://vscan.urlvoid.com/analysis/62d3725ab6a3b6a479efa453acc43176/YWJvdXQtZXhl/

polonus


packed by FLY-CODE - c 80% chance it's malicious, so developers say DrWeb.


Your request has been processed by an automatic system. This threat is known to our experts. Their entry in the Dr.Web virus database already exists.

Threat: BackDoor.Gbot.1589

http://vms.drweb.com/virus/?i=1591672
« Last Edit: November 21, 2011, 11:02:13 PM by Dim@rik »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Avast does not detect Trojan.Dropper/Gen-PHP aka Mal/FakeAV-IS here...
« Reply #4 on: November 21, 2011, 11:10:56 PM »
@Dim@rik,
Thanks for confirming that so quickly and extensively at the hand of the packer used
for this MS-DOS executable MD5 hash e4aaa768f18614cf21a167eb5d9c4750
To proof DrWeb gets them is here for another variant at another site:

Checking: -http://fdg45e.nl.ai/w.php?f=19
Engine version: 5.0.2.3300
Total virus-finding records: 2813715
File size: 279.50 KB
File MD5: f47f7bac078494261dbc349215b646de

-http://fdg45e.nl.ai/w.php?f=19 infected with BackDoor.Gbot.1589
There is no detection here of other scanners here for instance - calc-exe: http://vscan.urlvoid.com/analysis/33e605d75e3499d023c11728761d26b5/Y2FsYy1leGU=/

@Pondus
That should mean that the site should be blacklisted as google does here
   
http://www.google.com/safebrowsing/diagnostic?site=http%3A//nanitos99132.co.cc/w.php%3Ff%3D155%26e%3D5

While Norton safe web has not even tested the site, sucuri comes up with: "site blacklisted, malware" (according to above mentioned unmasked parasites report that is, malware not identified and not specified, obvious with all the various malware excutable variants of that specific malware being spread from there continously,

polonus

« Last Edit: November 21, 2011, 11:53:12 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Avast does not detect Trojan.Dropper/Gen-PHP aka Mal/FakeAV-IS here...
« Reply #5 on: November 22, 2011, 01:58:45 AM »
Hi Pondus,

Nice piece of big chunk malcode - see JS eval - of a site now taken down:
-http://urlquery.net/report.php?id=6699

polonus
« Last Edit: November 22, 2011, 02:01:28 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!