Another malware missed

Complete scanning result processed in VirusTotal at 09/30/2007 01:32:58 (CET).

[ file data ]

• md5.: df7bf02d90bc7e2df42f2c05f12a6385
• sha1: ff47920add8fce09630b37cc18164ffc96931c65

[ scan result ]
AhnLab-V3 2007.9.29.0/20070928 found nothing
AntiVir 7.6.0.18/20070928 found [BDS/Bifrose.NU]
Authentium 4.93.8/20070929 found nothing
Avast 4.7.1043.0/20070929 found nothing
AVG 7.5.0.488/20070930 found [Downloader.Generic6.HLQ]
BitDefender 7.2/20070930 found [Win32.Bagle.SSQ@mm]
CAT-QuickHeal 9.00/20070929 found [trojanDownloader.Bagle.eb]
ClamAV 0.91.2/20070930 found [trojan.Pakes-248]
DrWeb 4.33/20070929 found [Win32.HLLM.Beagle.45129]
eSafe 7.0.15.0/20070929 found nothing
eTrust-Vet 31.2.5169/20070927 found [Win32/Higlieder.AQ]
Ewido 4.0/20070929 found nothing
F-Prot 4.3.2.48/20070929 found nothing
F-Secure 6.70.13030.0/20070929 found [trojan-Downloader.Win32.Bagle.eb]
FileAdvisor 1/20070930 found nothing
Fortinet 3.11.0.0/20070929 found [W32/Bagle.EB!tr.dldr]
Ikarus T3.1.1.12/20070929 found [Backdoor.VB.EV]
Kaspersky 7.0.0.125/20070930 found [trojan-Downloader.Win32.Bagle.eb]
McAfee 5130/20070928 found [W32/Bagle.gen]
Microsoft 1.2803/20070930 found [trojanDownloader:Win32/Bagle.OD]
NOD32v2 2559/20070929 found [Win32/Bagle.JU]
Norman 5.80.02/20070928 found [W32/Mitglied.AKH]
Panda 9.0.0.4/20070929 found [trj/Mitglieder.PU]
Prevx1 V2/20070930 found [Heuristic: Suspicious Self Modifying EXE]
Rising 19.42.50.00/20070929 found [trojan.DL.Win32.Bagle.eb]
Sophos 4.21.0/20070929 found nothing
Sunbelt 2.2.907.0/20070928 found [VIPRE.Suspicious]
Symantec 10/20070929 found nothing
TheHacker 6.2.6.073/20070928 found [trojan/Downloader.Bagle.eb]
VBA32 3.12.2.4/20070929 found nothing
VirusBuster 4.3.26:9/20070929 found [trojan.DL.Bagle.OT]
Webwasher-Gateway 6.0.1/20070928 found [trojan.Bifrose.NU]

File sent by Chest.

Sympthoms of miss detection:

1. The presence C:\WINDOWS\exefld\ folder (from Win32.Agent.bgy)
2. Disabled avast services.
3. Disabled Windows Update, Windows Defender, Windows Security Center, Windows Firewall.

Tech, you had this (or similar) a few months ago

http://forum.avast.com/index.php?topic=28374.0

Are you sure you really ever got rid of it?

How did it manage to get into your Windows folder, I though windows vista ran under UAC/limited user (or is this an XP OS), which should block writing to the windows or system folders ?

Or if XP what happened to DMR.

Yes. This is another computer. That on XP, this on Vista.

It uses another ‘display’ to call the UAC. I’ve allowed… Blame on me. That’s when avast fails and we can’t stay just with it. AVGas, a-squared, SuperAntispyware failed too. Only SpywareTerminator with on-demand virus scanning (ClamWin) detected it. Spybot detected the folder after the files were removed by ST.

Wow… it’s being detected by avast! 000777-4 from today VPS update.

the biggest problem with new Beagles is that they are packed with Themida… of course we want to make some generic detection for the new modifications, but it is almost impossible in this case (until we make an Themida unpacker, if it is possible) :-..

Isn’t it the case for a heuristic module? Isn’t it the limit of generic signatures when compared to heuristics?

but what do you want to heuristically detect on themida from outside? it’s a legal protection system with some licensing features… if there’s a way to unpack it, then we’ll do it and analyze the underlaying data…

So, how do some antivirus detect it through heuristics?

i don’t know… i must analyze the packer, because it keeps some data in first section and these data are maybe related to original file content… but i have a few other things to do now… Themida is in queue, i’ll look at it probably next week…

Anything in specific ?? ;D

Al968