1.ex-, a generic trojan detection not detected by avast

Viruses and worms
1

Hi forum friends,

See: http://www.virustotal.com/url-scan/report.html?id=0fa131edd1dcdf89b93bbb4f6fbb6a4e-1322930372
and the additional file scan:
http://www.virustotal.com/file-scan/report.html?id=19bc66610a719563c48ba0159b8b2268212a1d9b1bc1d3fd358b5ab8d31852c9-1322933995
See: http://anubis.iseclab.org/?action=result&task_id=158d2b7cfd226e094f1ecefc3f0c43fc5
see: http://vscan.urlvoid.com/file/8abc7bdfe58ce297a92506221c1f20fc/MS1leGU=/

polonus

P.S. An earlier variant with the name 1.exe from that site avast detected as: Win32:FakeAlert-BNK [Trj]
see: http://www.virustotal.com/latest-report.html?resource=18f3f93ce3bf474b09d42d9802ebf776

D

2

Report 2011-12-03 21:42:41 (GMT 1)
Website solarelectricinstaller.com
Domain Hash 8827f41357ad51abc94f7a90c12e1d01
IP Address 50.22.91.2 [SCAN]
IP Hostname taro.websitewelcome.com
IP Country – (–)
AS Number 36351
AS Name SOFTLAYER - SoftLayer Technologies Inc.
Detections 10 / 23 (43 %)
Status DANGEROUS

http://amada.abuse.ch/?search=solarelectricinstaller.com
http://malc0de.com/database/index.php?search=solarelectricinstaller.com
http://www.malwaredomainlist.com/mdl.php?search=solarelectricinstaller.com
http://www.mywot.com/en/scorecard/solarelectricinstaller.com
http://www.malwareblacklist.com/searchClearingHouse.php?search=solarelectricinstaller.com

Report 2011-12-03 22:38:54 (GMT 1)
IP Address 50.22.91.2
IP Hostname taro.websitewelcome.com
IP Country –
AS Number N/A
AS Name N/A
Detections 5 / 26 (19 %)
Status DANGEROUS

http://cbl.abuseat.org/lookup.cgi?ip=50.22.91.2
http://www.malwaredomainlist.com/mdl.php?search=50.22.91.2
http://www.mywot.com/en/scorecard/50.22.91.2
http://www.spamhaus.org/query/bl?ip=50.22.91.2

Web server details
Scan for: hxxp://solarelectricinstaller.com/Gallery-Images/1.exe
Hostname: solarelectricinstaller.com
IP address: 50.22.91.2

System Details:
Running on: Apache
System info: mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635

Blacklist status
Domain blacklisted on the Opera browser (via AVG): solarelectricinstaller.com - reference

Sucuri
web site: hxxp://solarelectricinstaller.com/Gallery-Images/1.exe
status: Site blacklisted, malware not identified
web trust: Site blacklisted.

Security report (Site blacklisted):
error Blacklisted: Yes

3

avast blocks it via the network shield. (oddliy, while it alerted on the malzilla attempt at getting it, it didn’t stop it…)

Sent to avast.

4

Hi spg SCOTT,

Thanks for giving the actual shield protection status and thanks for sending this unknown executable to virus AT avast dot com,

That site has been spreading malware via names like sultan.ex- (dead), face.ex- (dead), x.ex-, sp.ex-, dd.ex-, malware like Trojan.Generic.KDV.433454, Trojan:Win32/Comame, TR/Danmec.L, DDOS/Dofoil.A.5, W32/FakeAV.OZ!tr (all live), shield protection against this site is vital,

polonus

5

+1