avast does not detect this generic trojan downloader..[SOLVED]

Viruses and worms
1

Where does this malware reside: 2011-03-23 16:34:29 htxp://hostzmail.webcindario.com/blog.php/favicon.ico 0BED6881017BAB194A1062A8484345A4 89.x17.x220.x221 ES TRCrypt.CFI.Gen also known as
HTTP Suspicious Executable Image Download
virustotal scan: http://www.virustotal.com/url-scan/report.html?id=02516337d8bab230aab030db570591ae-1300894951
virustotal filescan: http://www.virustotal.com/file-scan/report.html?id=310dbad56dc04f95757c7ae4aaec6d188f33c3e546f5041f2a22598586a35259-1300898797
found to be suspicious here: http://wepawet.iseclab.org/view.php?hash=02516337d8bab230aab030db570591ae&t=1300899041&type=js
accompanying Anubis report: http://anubis.iseclab.org/?action=result&task_id=18c500c505f8821b49d0c0af58bdc88ec
see attached screendump

polonus

2

Seems the “.ico” file downloads a .com file…not good. Would be nice to get this detected.

3

Hi spgSCOTT,

Yes, zlob also arrived that way (ico) in the past. Good thing to check on your files before you download submitting the download url for instance to virustotal, and then scan the file accordingly there, or scan the download URL here http://vscan.urlvoid.com/
Good next thing when slightly in doubt is to open up the download inside the avast sandbox, so watch your clicks,

polonus

4

Here is another one, not detected by avast from here: htxp://onj2me.info/register/dl/1457/FlashPlayer.jar
See: http://www.virustotal.com/file-scan/report.html?id=7a8c884e3942f0aceb02fad13934eb44e9d10eb7b1654fc20be4e229f72355b0-1300966118
Found to be benign here: http://wepawet.iseclab.org/view.php?hash=42e00e8d7d8082d5fdcd0324b7739be0&t=1300972394&type=js
Threats found thrice:

Trojan.Gen
Location: htxp://onj2me.info/register/up2/460/maksim.jar
No longer found to reside there…No file was found at that url… corrected still there, see following post from pondus

Location: htxp://onj2me.info/low/wall/1334/PornoTetris.jar Avast finds as Java:Agent-CP, see:
http://www.virustotal.com/file-scan/report.html?id=8288553265cda966af6dcca1609a7a2ee3fbdd3c6699541178812ec63c0214eb-1300972767

Location: htxp://onj2me.info/low/up2/1334/MakSim.jar Here it is found up by avast as Other:Malware-gen
See: http://www.virustotal.com/file-scan/report.html?id=5961140382bbd7f56b39a8b11d56de7a04f31ac49daa27886aa14333c4d27f60-1300972625

polonus

5
Trojan.Gen Location: htxp://onj2me.info/register/up2/460/maksim.jar No longer found to reside there....No file was found at that url....
ooo yes it is still there ;) same name but different MD5 to the last one you posted

and avast got it
http://www.virustotal.com/file-scan/report.html?id=fe05bf9a8d1d812f0e4bd6bafb731ad175cf8ddc80e6a7021d0bfb3a7996af44-1300978417

6

Norton, Microsoft, McAfee, Eset, AVG, etc. all detect this but Avast is still not detecting it as of 1:30 EDST today. I searched for about 20 minutes and did not find a way to submit this to Avast lab. They have a process for submitting false positives from the virus chest but not for submitting missed positives.

I have a customers who will open this e-mail message and probably get infected. :frowning:

7
I searched for about 20 minutes and did not find a way to submit this to Avast lab.
send samples in a password protected zip.file to virus @ avast.com subject: undetetced sample password: infected
8

False Positive OR Potential Malware…from the chest:

EDIT: hang on…screenshot is messed up… There…

9

The .com file that comes from Polonus’ first post in this thread is now detected by avast, after adding to the chest and sending it :slight_smile:

110324-1

10

OK, we change the topic to “SOLVED”

pol