Author Topic: Is this undetected malware? [SOLVED] (Read 2527 times)

polonus · « **on:** November 30, 2011, 01:44:00 PM »

Hi forum friends,

See this scan, which is clean: http://vscan.urlvoid.com/analysis/1db64dd315f015a05f964a95e6f1f0f8/bXVsdGktYXYtZXhl/
Given as goodware here: http://www.virustotal.com/file-scan/report.html?id=60fe2cf9d4f9af947f07b3b25bc8f1219af7bc5a141368c03de5d224dca0a0da-1322638534
Given as undetected here: http://camas.comodo.com/cgi-bin/submit?file=60fe2cf9d4f9af947f07b3b25bc8f1219af7bc5a141368c03de5d224dca0a0da
See Anubis analysis here: http://anubis.iseclab.org/?action=result&task_id=1d967eef0778e8b341d9360f371646cd
0n Anubis analysis we find a unnamed file 0x00120028 Performs File Modification and Destruction - WDUF49AN\readme[1].exe typical for Zeus...

polonus

Milos · « **Reply #1 on:** November 30, 2011, 03:50:03 PM »

Hello,
the link to Anubis page doesn't work. I didn't observe the described behavior:

Quote

0n Anubis analysis we find a unnamed file 0x00120028 Performs File Modification and Destruction - WDUF49AN\readme[1].exe typical for Zeus...

It just unpacks files and opens some pdf help file.

Milos

polonus · « **Reply #2 on:** November 30, 2011, 05:48:11 PM »

The Anubis analysis is here: http://anubis.iseclab.org/?action=result&task_id=19afc46e44e047ee4719cd04f8228a636
The unknown executable comes from: -http://pctipp.ch/ds/28400/28470/Multi_AV.exe
date 2011-11-30 00:00:29

po;onus

Pondus · « **Reply #3 on:** November 30, 2011, 09:31:32 PM »

ThreatExpert - Multi_AV.exe
http://www.threatexpert.com/report.aspx?md5=1db64dd315f015a05f964a95e6f1f0f8

polonus · « **Reply #4 on:** November 30, 2011, 10:05:05 PM »

Hi Pondus,

Thank you for diving into this. I also found this scan with the MD5 hash of it: http://f.virscan.org/EUC.EXE.html
Here the same link to it is given: http://www.wilderssecurity.com/showthread.php?t=286907
When I analyze with jsunpack I stumble upon this: -qs.wemfbox.ch/?1
See: -http://qs.wemfbox.ch/?microsof//CP//MSNDECH/home found via: http://www.malware-control.com/statics-pages/09109bb7ec2ebe5a81c422c0a440320e.php

And more here: -www.pctipp.ch/js/domtab.js suspicious
[suspicious:2] (ipaddr:212.98.39.7) (script) -www.pctipp.ch/js/domtab.js
status: (referer=-www.pctipp.ch/downloads/sicherheit/35905/tool.html)saved 9299 bytes 3b8a1b4bf4fa89147a4d63c5a439344fc5a1e66f
info: [decodingLevel=0] found JavaScript
suspicious: maxruntime exceeded 10 seconds (incomplete) 0 bytes

polonus

Pondus · « **Reply #5 on:** December 01, 2011, 01:46:52 PM »

Norman lab

Quote

Multi_AV.exe : Clean!

polonus · « **Reply #6 on:** December 01, 2011, 04:41:42 PM »

Hi Pondus,

Thanks, so we can reach the conclusion that this is goodware,

polonus

Author Topic: Is this undetected malware? [SOLVED] (Read 2527 times)

polonus

Is this undetected malware? [SOLVED]

Milos

Re: Is this undetected malware?

polonus

Re: Is this undetected malware?

Pondus

Re: Is this undetected malware?

polonus

Re: Is this undetected malware?

Pondus

Re: Is this undetected malware?

polonus

Re: Is this undetected malware? [SOLVED]