Avast does not detect uppa.exe?

Viruses and worms
1

See: http://minotauranalysis.com/search.aspx?q=02e2db1413f738a4d65047e60ba6cca0

See: http://zulu.zscaler.com/submission/show/ed70e11b2d7643ff28cb2096e3b57385-1363020823

See: https://www.virustotal.com/en/file/1705c491dd4ca9a8e0b82e7bd106bef10bbb08fdad752d0cb5a7bae74ea09c2b/analysis/

See: http://www.threatexpert.com/report.aspx?md5=02e2db1413f738a4d65047e60ba6cca0

See: http://anubis.iseclab.org/?action=result&task_id=18acca3306a4a5294a167f35f82f01371

Or is this a PUP find? DrWeb’s observations: http://www.drwebhk.com/en/virus_techinfo/Trojan.DownLoader4.20515.html%2Bupppa.exe&oe=utf-8&hl=en&ct=clnk (only search-engine cache content available?)

* The following Host Name was requested from a host database:
      o 192.5.5.241 and we are confronted with just another DNS root server abuse from a tcp dump in a casestudy...

polonus

2

Hi Pol,
Avast! Web shield blocks as FilerepMalware :smiley:

3

Hi true indian,

Thanks for confirming the shield detection. We are being protected,

pol

4

Hi Pol,
the file has been packed 3 time by 3 different packers.No wonder Avast detects it.

5

Hi Left123,

Yes, see that:
F-Prot packer identifier
AutoIt, UTF-8, UPX

Default packer used by AutoIt is the free UPX,
but if you wanna more protection you need to use some commercial products like TheMida, Execryptor or ZProtect.
UTF-8 is an alternative to compressing, so using the ISO-8859-1/UTF-8 setting…

Remember, if you not use UPX, to disable UPX compression and after apply the chosen packer compression

Also 3 mutexes created:
CritOpMutex (created by the second)
MSCTF.Shared.MUTEX.IFG typical for e.g. Zeus tracker malware & win32 trojans
_SHuassist.mtx

polonus

6

Hi Pol,just found more time to look into it.Searching at a forum i found a confirmed Win32/Phorphiex sample
You can see it here https://www.virustotal.com/ru/file/edb1a99271f8c7b871829ec9b530e2715dc2a90685f30693730434f645a0ae18/analysis/ .
Again here,the behavioural analysis will save us.Not only this sample is packed by the very 3 same packers as uppa.exe but the created/opened ifles are the same.
The sample you provided(843921.exe):
C:\1705c491dd4ca9a8e0b82e7bd106bef10bbb08fdad752d0cb5a7bae74ea09c2b (successful)
\.\PIPE\lsarpc (successful)
\.\MountPointManager (successful)
C:\DOCUME~1<USER>~1\LOCALS~1\Temp\aut1.tmp (successful)
C:\DOCUME~1<USER>~1\LOCALS~1\Temp\noir.art (successful)
C:\WINDOWS\system32\rsaenh.dll (successful)
The sample i provided(IMG0540230-JPG.sc_):
C:\edb1a99271f8c7b871829ec9b530e2715dc2a90685f30693730434f645a0ae18 (successful)
\.\PIPE\lsarpc (successful)
\.\MountPointManager (successful)
C:\DOCUME~1<USER>~1\LOCALS~1\Temp\aut1.tmp (successful)
C:\DOCUME~1<USER>~1\LOCALS~1\Temp\noir.art (successful)
C:\WINDOWS\system32\rsaenh.dll (successful)
Is there any need to continue?You can check it on your own to find more similarities :slight_smile: .
Regards,
Philip

7

Hi Left123,

Thanks for this instructional informative posts. It stands out in white lines on my “inner blackboard” and the lesson learnt will be applied with further investigations.
Thanks again for your positive and inspirational input,

Damian