My avast 6 dont detect this file,but when i upload it at virustotal.com Avast 5 detects it. ???
Try turning on PUP and scan again…what is the result then ?
The same.Not detected.
I was playing with some samples and i found that some malwares are detected by Avast 5,but not by Avast 6.Should’t they have the same engine?
Here is the file
hxxp://www.2shared.com/file/bPaZqG6d/Trial_Reset.html
kill your link above : >>> replace anything in it so that it can’t be launched from here.
Avira analysis
The file 'Trial Reset.exe' has been determined to be 'DAMAGED FILE (UNKNOWN)'. In particular this means that this file is damaged and not working properly. We could not find any malicious content. However the heuristic detection module may still detect this particular file even though it is damaged. In that case we will not adjust and remove detection for this damaged file.
I guess that explains it…
NORMAN sandbox
Trial Reset.exe : Not detected by Sandbox (Signature: W32/Suspicious_Gen2)
[ DetectionInfo ]
* Filename: C:\analyzer\scan\Trial Reset.exe.
* Sandbox name: NO_MALWARE
* Signature name: W32/Suspicious_Gen2.ERLUN.
* Compressed: YES.
* TLS hooks: NO.
* Executable type: Application.
* Executable file structure: OK.
* Filetype: PE_I386.
[ General information ]
* Decompressing UPX3.
* File length: 510186 bytes.
* MD5 hash: 782c0b7a148bc388de80fd4141b8e1cf.
* SHA1 hash: 8075f12ef7b1e4c0612eeb908c192e8da51c60e1.
* Packer detection: UPX 2.90 LMA.
[ Changes to registry ]
* Accesses Registry key “HKCU\Control Panel\Mouse”.
* Accesses Registry key “HKCU\Software\AutoIt v3\AutoIt”.
Hi lastsamurai & Pondus,
Make that link non-click through, like hxtp:// so the unaware may not go there and get something they do not want,
it is the “malpacker” used that is flagged, see this info here:
http://www.online-armor.com/oasis2/file/malware/mal_packer/trial_reset_exe/100821
and
http://www.threatexpert.com/files/trial-reset.exe.html
Corrected file analysis
http://www.virustotal.com/file-scan/report.html?id=b061e79a1cd75b614b485a47ffd1210794369a7dcc3fcebe793b1d565fe9c198-1301518364
Write up on the malware worm of this name from virus encyclopedia:
TRIAL RESET.EXESource: htxp://angui123.cn/VirusEncyclopedia/3468.htmlSample Accepted Time:2010-1-18 14:02:58
Infected Times:
TRIAL RESET.EXE Description:The unsafe files using this name are associated with the malware groups:
Malicious Software
WormTRIAL RESET.EXE action as following:
The Process is packed and/or encrypted using a software packing process
Drops known malicious software during executionIncludes file creation code which could be used to test for interception by security products
TRIAL RESET.EXE also has the following action
Created as a process in your system.
Executed as a ProcessInfected Countries
Maleware file TRIAL RESET.EXE detected on May 25 2009 in the following geographical region of the Prevx community:
Spain on May 25 2009
Same behavior related threat file name:TRIAL RESET.EXE has the following brother program file:
98609537.EXE
23031662.EXE07999972.EXE
94838136.EXE
46541623.EXE
98639568.DAT
Filesizes
Several different file size detected:
2,570,979 bytes
5,930,694 bytes48,640 bytes
971,263 bytes
File Type
Maleware file TRIAL RESET.EXE is used by multiple object types including executable programs,objects.
File Activity
One or more files with the name TRIAL RESET.EXE creates, deletes, copies or moves the following files and folders:
create folder C:\WINDOWS\system32\28463
Creates c:\windows\system32\28463\KGUT.001Creates c:\windows\system32\28463\KGUT.006
Creates c:\windows\system32\28463\KGUT.007
Creates c:\windows\system32\28463\KGUT.exe
Creates c:\windows\system32\28463\key.bin
Creates c:\windows\system32\28463\AKV.exe
Creates c:\docume~1\jim\locals~1\temp\Trial-Reset.exe
Deletes c:\docume~1\jim\locals~1\temp@3.tmp
Spread Way:
Windows Vulnerability
Registry Value Creation
MD5:k8oBaNMH5k6ODHqCLxO3Au75pLs71iQ1
SHA1:sFwj2VupP6AwfI8dT2WJi1CQ8s0EM5yK0g16Jedx
polonus
No, it doesn’t - the engine is the same, i.e. they have to detect the same, at least on-demand
My avast! 6 detects it as Win32:Agent-AJGC [PUP] - so I suppose you haven’t really enabled PUP scanning for the particular scan.
Hi Igor,
But it is the malpacker software packing process used here that is flagged, right? Borland Delphi compiled…
Another example: http://xml.ssdsandbox.net/index.php/1a2f41508f1d089fe710507646cd6e90
polonus
Why is the PUP ending removed at VirusTotal ?
I don’t really know what is flagged and why it’s flagged as PUP. Maybe it’s just the particular packed sample detected by the outer wrapper.
As for why VT removes the suffix - don’t know, I also find it unfortunate.
SOPHOS analysis … this must be a world record response…50min
Trial Reset.exe -- identity created/updated The file(s) submitted were identified as a potentially unwanted application and detection is now available on the Sophos Databank.