2 Viruses Undetected by Avast (up to date) Mar-23

The following file “D2NT Manager.exe” contained in the zip/d2nt/ archive or folder bypasses all scans from Avast. But after opening the exe, avast was unable to stop everything.

After opening in windows 7 64 ultimate (double clicked with UAC OFF), avast prompted and said it stopped vbs or something like that. My theme changed to classic (or something like it). I pulled me ethernet. I tried scanning the exe, and avast said something like it was too busy to scan.

So i schedueled a boot time scan C drive, but it wouldnt let me reboot. So I force rebooted after ctrl alt del failed with black screen. Booted into safe mode, restarted, boot scan started, it found the following:

…Users\Owner\AppData\Roaming\trz9DE7.tmp / High / Threat: Win32:rebhip-B trj DELETE Action successful

…users\Onwer\AppData\Local\Temp\trzA74A.tmp / High / Threat: MSIL:Tiny-C trj DELETE Action Successful

SnapShot:

http://i55.tinypic.com/2jc7q0i.png

Everything seems to be fine now, I havnt noticed any weird processes and have no reason to believe its still there. I ran ccleaner and checked registry.

Below are the links to the youtube video, and then the actual link to the zip folder that contains the trj from mediafire.

http://www.youtube.com/watch?v=Q8vm2ht31Mw&playnext=1&list=PL17B3B9014726BE36

http://www.mediafire.com/?mbk0d8ea04kaphc

He has more videos with more files that come up clean and do naughty things, please let me know if i should be worried!

Specs:

Running Windows 7 Ult 64 bit (UAC off and firewall restricted)
SP1 (up to date)
iMac Intel bootcamp 64

UPDATE: I have taken the following steps:

Avast boottime scan - 2 infected temp files deleted

CCleaner - Temp / Registry - clean

MalwareBytes - Full / Quick - clean

Should I have any reason to believe I am still infected?

Why was avast unable to detect the dropper (exe) compared to Nod32 - malwarebytes. AND YET still be able to detect and delete the trjns dropped by that exe?

Do you guys think this kid “inJJWeTrust” was capable of pkging at this lvl?
BTW, heres his real name: Kyle Sanger - first on facebook, “admin” of InJJWeTrust facebook - pwnd

D2NT Manager.exe - 2/42
http://www.virustotal.com/file-scan/report.html?id=518eef2522ff19687149a867e606ef3fa753ebb0b5167ac5aa0bbcc81984f4d3-1300965377

Norman analysis: processed - MSIL/Injector.AB

Check you computer for malware with this

Malwarebytes Anti-Malware 1.50.1 http://filehippo.com/download_malwarebytes_anti_malware/
Always Update so you have latest database before you scan
Click the remove selected button to quarantine anything found

you may post the scan log here if anything is found

Hi Pondus,

See the analysis performed here: http://wepawet.iseclab.org/view.php?hash=f8e64ffcdeb54f250904b7f3a46a368a&t=1300998816&type=js

polonus

Thanks guys! Ya i never use those web based scanners ;)… i usually never download anything that is worthy of manual scan either :wink:

I stated in my email to virus@avast.com that my definitions were up to date before and after, and both scans failed to flag it. The boot time scan has always been my hero, and im glad to notice that it now supports 64 bit 7 ;D yay! u dont know how many times ive worked with someones laptop and they had 64 bit and i was like, shoot, no boot time scan ;D…

Obviously according to the web scan, it was only detectable by nod32 and ikaris (or watever) side note i chose nod32 for my mokup in CNS! so hopefully this will become detectable very soon, i kept the rar so i am waiting avast ;D

The reason i posted this over any, is this virus hit kinda hard, really fast, I knew what to do, but if i were enduser, i would not even know where to start!

This is the first time I have ever opened a file with avast running and had any issues! Been user (enthusiast) since 4.0!

THANKS AGAIN GUYS!

I’m curious as to why the boot time scan detected the problems but the regular scanning didn’t. Don’t both use the same signature base?

'Tis a bit iffy as it would not run on my VM

EDIT: The only thing that avast couldn’t flag, whether it was boottime or not, was the actual EXE, im sure both scans would find the 2 temps that were caused after the exe was ran.***

Well, I would not know, but i can guess is the actual EXE that injects the trj to temp, the exe does not necessarily have the same build as the trj left behind after the exe is already ran.

So please correct me if I’me wrong, but the actual EXEs can pass scans but the damage left behind can still be fixed / detected by the same definitions as the scan?

If so, nod32 was able to detect that “sig” before the damage was done, and avast was not. Could the reason be the way the virus was packaged? like a method that avast is not aware of (that nod32 is)?

It made me think, which ability is more important, the ability to flag exes before they do dmg, or the ability to correct / detect the aftermath. Because obviously, it found the temp files infected and they were caused by the exe.

As for it not running in VM, ur own vm? or that feature from avast where it isolates the exe and runs in cloud (or watever)? Is this a practicable way of “testing” exes? Does it not running in vm cause you concern?

I forgot to mention my exact specs:

Running Windows 7 Ult 64 bit (UAC off and firewall restricted)
SP1 (up to date)
iMac Intel bootcamp 64

UPDATE:

As i said before, i have no reason to believe i am still infected… BUT After boottime scan from avast found those 2 temps, it claimed to delete them. I ran 1 quick scan with malwarebytes and found nothing. The full scan did find some false positives :wink: but other than that i think im clean, i will post any logs if i find anything els!

Or you may want Essexboy to have a look inside ?

Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
(post the logs here in this topic and not in the guide)

To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTS log )

EDIT: I just realized essexboy was the one who commented earlier saying it was iffy because he couldnt load it in vm, please let me know what this could mean!

I will do my best to not double post, but I will reply to each individually as I have problems doing multi/quotes/responses.

Essexboy? i will check it out, i googled it… lolz, not the same im sure

EDIT: LOLZ its his name, #fail

Sorry for the double posts, I hear ur the malware guru, please let me know what you think of this exe.

Could it not running in VM mean something? Maybe the same reason why the way it was pkged it could not be detected by avast?

Should I take any other steps to ensure my computer is clean? So far I have done the following:

Ran Boottime scan avast, found the 2 temps listed above.

Ran CCleaner, registry and temp

Checked bootup registry (not to familiar with this)

Ran MalwareBytes Full and Quick scan - both came up clean (minus the actual exe)

My next steps are to run boottime scan again (just in case) and then use hijackthis to dive into my registry!

Please let me know if you think this trjn could have leaked any of my info (network wise), or if i could still be infected!

.....or if i could still be infected!.....
That is why you should follow the guide i posted above and post the OTS log so Essexboy can see, and not hijackthis

I understand, but he already commented, and said he couldnt run it in vm, so im sure he is aware of it. Will my ots differ from his? OK OK i will go back to the thread and see if i missed something…

I understand, but he already commented, and said he couldnt run it in vm,
He tried running the "D2NT Manager.exe" file
Will my ots differ from his?
He cant see if your computer is infected by running ots on his ???

Sorry for my miss-understanding, but Malwarebytes did not find anything, would my log still be of use? Sorry for such a noob!

Generally malware will detect a VM system and close down or just fail to run… I am running XP within my win7 system

so… generally you say malware is “iffy” then right? :wink:

Im just trying to see if there is something special about this one that could drop some extra temps that scanners couldnt detect.

UPDATE: Avast just updated definitions and was able to recognize the d2nt manager.exe file within the zip/rar and while extracting… That was fast team! I hope it was my email to Virus@avast.com and not the forum :wink:

Maybe we could get some light shed as to why the scanner was able to delete the dropped trj but not the actual dropper (exe) before?

NOTE: they didnt even bother to reply to my email ;( i am gunna run boot scanner 1 more time with new def just in case its able to catch something new

Maybe we could get some light shed as to why the scanner was able to delete the dropped trj but not the actual dropper (exe) before?
well if somone, like you found these dropped files sucpicious, tested them at VirusTotal and if they was detected there sendt them to avast! ?
NOTE: they didnt even bother to reply to my email
They usually dont answer.....
i am gunna run boot scanner 1 more time with new def just in case its able to catch something new
As suggested before you still have the option of running OTS posting the logg and let Essexboy have a look inside

The problem with the droppers is that they vary by the day - or even hour. It is when they unpack that Avast gets a handle on the main files