another false positive?

Viruses and worms
1

See: http://app.webinspector.com/public/reports/22694060
See: https://www.virustotal.com/nl/url/452ed22a978e4a980c2840b3988c77f91c0f47c96caa83d3c41033211cbd0239/analysis/1403451273/
and https://www.virustotal.com/nl/file/68baf2a08c90275a6a2dea0cb51297724729a8ff48846491d1d896a0379f662b/analysis/1403388431/
Probably harmless executable. But again flagged here:
http://urlquery.net/report.php?id=1403451772227

pol

2

I find that Comodo’s SiteInspector generates quite a lot of FPs…
see http://app.webinspector.com/recent_detections

3

Ermm, No, I would say, fake Tech Support. That is a Teamviewer Logo. http://urlquery.net/report.php?id=1400197021490

That would support my conclusion! Same IP is a Russian Business Network!?!?

Steven: Still got a Win 7/8 VM?

4

Yes, i do have a few here.

5

Ah, this confirmed my hunch. It is fake Polonus. I think the detection is legit.

https://malwr.com/analysis/NmYwYjQ3MzNhZWJlNGJhMTgzN2E5MGEwYzMxM2IyMGQ/

TEAMVIEWER!


C:\DOCUME~1\User\LOCALS~1\Temp\TeamViewer\Version6\TeamViewer_Service_2014-06-22-18-42-54.exe
C:\DOCUME~1\User\LOCALS~1\Temp\TeamViewer\Version6\TeamViewer_Desktop_2014-06-22-18-42-54.exe
C:\DOCUME~1\User\LOCALS~1\Temp\TeamViewer\Version6\tv_w32_2014-06-22-18-42-54.dll
C:\DOCUME~1\User\LOCALS~1\Temp\TeamViewer\Version6\tv_w32_2014-06-22-18-42-54.exe
C:\DOCUME~1\User\LOCALS~1\Temp\TeamViewer\Version6\tv_x64_2014-06-22-18-42-54.dll
C:\DOCUME~1\User\LOCALS~1\Temp\TeamViewer\Version6\tv_x64_2014-06-22-18-42-54.exe
C:\DOCUME~1\User\LOCALS~1\Temp\TeamViewer\Version6\Teamviewer_resource__2014-06-22-18-42-54.dll
C:\DOCUME~1\User\LOCALS~1\Temp\TeamViewer\Version6\Teamviewer_resource_*_2014-06-22-18-42-54.dll
C:\DOCUME~1\User\LOCALS~1\Temp\TeamViewer\Version6\logo_2014-06-22-18-42-54.bmp
C:\DOCUME~1\User\LOCALS~1\Temp\TeamViewer\Version6\teamviewer_2014-06-22-18-42-54.ini
C:\DOCUME~1\User\LOCALS~1\Temp\TeamViewer\Version6\install_2014-06-22-18-42-54.exe
C:\DOCUME~1\User\LOCALS~1\Temp\TeamViewer\Version6\install64_2014-06-22-18-42-54.exe
C:\DOCUME~1\User\LOCALS~1\Temp\TeamViewer\Version6\Lizenz_2014-06-22-18-42-54.txt
C:\DOCUME~1\User\LOCALS~1\Temp\TeamViewer\Version6\License_2014-06-22-18-42-54.txt
C:\DOCUME~1\User\LOCALS~1\Temp\TeamViewer\Version6\CopyRights_2014-06-22-18-42-54.txt
TeamViewer.ini
C:\DOCUME~1\User\LOCALS~1\Temp\TeamViewer\V

That’s just a sample!

Why is it collecting info, and fingerprinting systems?!?!

This, sadly, screams fake tech support into my face. More so with those pictures in the malwr.com look at it!

Steven, also just confirmed, Fake Support malware.

6

Its accessing alot of Files, folders and registry entries.

Will give an OTL and Process Monitor log soon.

OTL and the log from AppData>Roaming created by the malware: http://wikisend.com/download/583506/SupportEXE.7z

7

Nice, this looks weird indeed.

8

The subtle hints are that teamviewer is on V9 and runs from program files

9

Sweet, Martin! You are here! Thanks.

other then that, the website IP is from an RBN IP. Obviously they have Fake Support everywhere. The file is named wrong. It should be Teamviewer_Setup_en.exe.

Anything else?

What is this Process? PRC - [2014/02/22 16:51:02 | 000,066,624 | ---- | M] (Microsoft Corporation) – C:\Windows\System32\taskhostex.exe
PRC - [2014/06/22 16:10:59 | 001,330,936 | ---- | M] (Microsoft Corporation) – C:\Windows\SoftwareDistribution\Download\Install\AM_Delta.exe

10

taskhostex.exe is a legit Windows process, Host process from Windows, not malicious

11

AM_Delta according to research I believe is for Windows Defender.

12

Hi folks,

Indeed developed into a nice and interesting thread.
Thanks for all your contributions to the evaluation.
Just two more things to consider and weigh in the balance.
I also like these results from herdprotect to get a better overall diagnosis: http://www.herdprotect.com/support.exe-d54fed77c0c410248030b1620f96185f1779e245.aspx

And also we should count in the the IP badness history:
https://www.virustotal.com/nl/ip-address/91.223.82.43/information/
and the downloads from there: http://support.clean-mx.com/clean-mx/viruses.php?as=AS51430&response=
According to these latter resources our “malcoded candidate” has been closed down now or that is the recent and atual status of the executable.
So it is water under the bridge now or waiting for a re-launch of another instance, see
what was detected: http://www.threatexpert.com/reports.aspx
I am sure the next time around this one won’t slip through under the detection radar. ;D

polonus

13

I do think the file was missed by 68 AV’s because the file is signed by Teamviewer GmbH. Now that being said, the site should have been blocked. The history, RBN connections etc should have been an auto IP blacklist AND a site blacklist, which would prevent any type of download. It would also warn the user getting the fake help.

14

First submission 2012-12-15 09:48:41 UTC ( 1 year, 6 months ago )
https://www.virustotal.com/en/file/68baf2a08c90275a6a2dea0cb51297724729a8ff48846491d1d896a0379f662b/analysis/1403472616/
https://www.metascan-online.com/en/scanresult/file/6f0f4715b78c45da81c1ea3fa3443adb
http://virusscan.jotti.org/en/scanresult/a03cf2319ac0a572fde360aef43468fa257c8600

CopyrightTeamViewer GmbH Publisher TeamViewer File version 6.0.11656.0 Comments TeamViewer Remote Control Application Signature verification Signed file, verified signature
15

Hi Pondus,

That may be true for the actual original harmless executable, not for the one that was scanned some 22 hours ago and now has been closed (see the clean mx data for the detection on
11 follow up this item(29823807) 29823807 first seen 2014-06-21 22:00:40 last seen 2014-06-22 up and active 00:14:18 for 2.2hrs. on → htxp://diagnostic55.com/support.exe

polonus

16

your scanned file MD5 d3278fa220fe187a58fcc91087c6b019
my scanned file MD5 d3278fa220fe187a58fcc91087c6b019

Anubis https://anubis.iseclab.org/?action=result&task_id=12f700e6db75ead340564234e4205213a

17

According to clean mx this is the VT file in question: https://www.virustotal.com/nl/file/68baf2a08c90275a6a2dea0cb51297724729a8ff48846491d1d896a0379f662b/analysis/
hash for file-7155795_exe = SHA256: 68baf2a08c90275a6a2dea0cb51297724729a8ff48846491d1d896a0379f662b

Can you copy that?

The safe virus viewer link: http://support.clean-mx.com/clean-mx/view_virusescontent.php?url=http%3A%2F%2Fdiagnostic55.com%2Fsupport.exe

polonus

18

same MD5 and SHA 256 as the file i scanned and that you see in the Anubis check above

19

File checked by Norman lab, and as expected (by me) it was clean

----- Hi, Uploaded file is clean. No detection added.

Regards,

Files:
support.exe: Not Detected

-----

20

Pondus,

Not actual anymore anyway, but read this please: http://www.cisco.com/c/en/us/support/docs/csr/cisco-sr-20090115-md5.html
For the spoofing to succeed one needs access to two files: the original with the certificate and the altered one.

polonus