Avast does not detect- Trojan.Ransomlock [SOLVED]

Viruses and worms
1

All I have for this is http://www.threatexpert.com/report.aspx?md5=9d973d80ed78517e3d54b92119ab6532
& http://camas.comodo.com/cgi-bin/submit?file=72489f688c4c5710a790dd23b9075360ba76c91b0813e795f976c4917ed757e6&iframe=
and
http://threatcenter.crdf.fr/?More&ID=66207&D=CRDF.Trojan.Downloader.Win32.PEx.887925977
Suspicious: -cursus.windowsles.be/ suspicious
[suspicious:2] (ipaddr:62.112.155.45) (jsvar) -cursus.windowsles.be/
status: (referer=-cursus.windowsles.be/index.php)saved 10078 bytes 931b873cf72efc464303b9cd4913a4c5cbe02b91
info: [javascript variable] URL=-cursus.windowsles.be
info: [script] -cursus.windowsles.be/skins/common/IEFixes.js?207
info: [script] -cursus.windowsles.be/skins/common/wikibits.js?207
info: [script] -cursus.windowsles.be/skins/common/ajax.js?207
info: [script] -cursus.windowsles.be/index.php?title=-&action=raw&gen=js&useskin=gumaxdd
info: [script] -cursus.windowsles.be/skins/gumaxdd/scripts/jquery-1.3.2.min.js?207
info: [script] -cursus.windowsles.be/skins/gumaxdd/scripts/jquery.droppy.js?207
info: [decodingLevel=0] found JavaScript
error: line:66: SyntaxError: missing ; before statement:
error: line:66: ; wikibits js →
error: line:66: …^
suspicious:
Given clean: http://vscan.urlvoid.com/analysis/edc58c6188b0a7a20e47a320ae6671d5/aW5kZXgtcGhw/
and http://wepawet.iseclab.org/view.php?hash=087de68a113787e2be1406fe0de6cebf&t=1327587971&type=js
Also this given as malcious: -http://cursus.windowsles.be/index.php?act=index
and -http://cursus.windowsles.be/index.php?act=index

polonus

2

https://www.virustotal.com/file/085c209fa6ce20e2303c452445bd44cff416844abe7235e22f3b119ef46746a9/analysis/

3

Hi razoreqx,

Thank you for coming up with the VT scan results that show that avast missed detection. Did you forward to virus AT avast dot com also, so they can add this to detection?

pol

4

Hello,
reupload (and rescan) on VT fixed it :wink:

Milos

5

Yes VT results now show detection, https://www.virustotal.com/file/085c209fa6ce20e2303c452445bd44cff416844abe7235e22f3b119ef46746a9/analysis/. Interestingly this is the same VT path that razoreqx gave and it shows avast detection as Win32:Malware-gen.

So it looks like the new VT interface will show the latest results (if another submission made), rather than the original old results.

6

Hi DavidR,

Thanks for that important observation, and this is something to reckon with both for us here that check on/follow avast’s overall detection results and also for the avast tean members’ making that VT is getting the updated avast detection results right! I think this makes VT scanning a bit more obscure, but I hope that isn’t the case. Good the guys at VT took the MD5 hash out, because it is no longer secure anymore. We have to use the longer SHA256 hash now to land at the VT file scan results following a particular URL scan. I hope Pondus, Asyn, Dim@rik, razoresq and the others out of VT regurly also are fully aware these changes with VT scanning handling. Anyway thanks for the heads up!

polonus

7

Hi

I didnt forward I just replied to further solidify your findings :slight_smile:
Had not noted David’s mentioned of the update to VT. Very good to know!

Thanks