Today I received a suspicious email regarding an “application” for a job, with a link to a file hosting service to download the “application pack”. It immediately raised red flags for me, but I downloaded it anyway with the intention to check it out.
For the record, I’m running the Avast! antivirus for Linux and a Pro version on my Dad’s Business Laptop. Also, ClamTK on linux. All of them scanned the files as clean.
The file was zipped and contained two insidious little .exe files named ApplicationForm.exe and JobDescription.exe respectively. The thing about these files was that they had the icons of MSWord files. You could see plainly when you use Nautilus to view the files that they weren’t on the level. On Windows, however, there is nothing that’d give a non-techie user any reason to think twice before running these files.
In fact, a few minutes after I blogged about this very thing, my mom called me up all the way from London (I’m in the Philippines) sobbing and telling me how her online financial accounts had been compromised. She described everything to me, from the email, the files, and the sender, and it matched all of it. (We are now working to recover her accounts).
I had installed Avast on her computer some years back and taught her how to update it consistently and run system scans, BTW.
So I’m kind of disappointed. I’ve been a loyal Avast user for several years, I’ve turned my dad and an aunt into paying users and intended to recommend a business associate I consult for to use the Business edition, but this event has given me pause.
Fact of life, no security program have 100% detection. about 50 000 new malware code is found every day so to detect it all is mission impossible
Send the file(s) to virus @ avast . com in a password protected zip.file
password: infected
subject: undetected sample
also upload the file(s) to www.virustotal.com and test with 43 malware scanners
when you have the result, copy the URL in the address bar and post it here for us to see
also check your messages, see top right corner “MY MESSAGES”
0 detections, similarity between the executables:
Same imports: [[ 1 import(s) ]]
mscoree.dll: _CorExeMain ( (You must have had Net Framework installed for this …
You could have more versions of the .NET Framework, to establish which look at the subkeys under this registry key:
KEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\policy.)
There is a new Win32/Fruspam worm variant on the loose, and judging from a couple of the subject lines, Fruspam thinks you need a new job
The second infection is Mal/MSIL-A
Manual removal instructionsMal/MSIL-A Manual Removal Instructions
Backup Reminder: Always be sure to back up your PC before making any changes.
Step 1 : Use Windows Task Manager to Remove Mal/MSIL-A Processes
Remove the “Mal/MSIL-A” processes files:
%AppData%\recyclerr\recyclerr.exe
Step 2 : Use Registry Editor to Remove Mal/MSIL-A Registry Values
Locate and delete “Mal/MSIL-A” registry entries:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
Step 3 : Detect and Delete Other Mal/MSIL-A Files
Remove the “Mal/MSIL-A” processes files:
%AppData%\recyclerr\recyclerr.exe
Step 4
Delete the IE temp files,some Mal/MSIL-AV temp file may exist there.
This is if you know how to do this, but better is to wait for essexboy here,
he might suggest a malware cleansing routine, probably MBAM etc. will do the job,
so wait for his instructions,
Indeed it has been! I’ve gotten the most recent updates for MBAM, and they’ve done quite the job on these little buggers. Now the only thing I have to facilitate is for someone to help me mum out on the other side of the world and clean out that infected computer of hers using MBAM.
The file 'ApplicationForm.exe' has been determined to be 'MALWARE'. Our analysts named the threat TR/Spy.Remopid.B. The term "TR/" denotes a trojan horse that is able to spy out data, to violate your privacy or carry out unwanted modifications to the system.Detection will be added to our virus definition file (VDF) with one of the next updates.
The file 'JobDescription.exe' has been determined to be 'MALWARE'. Our analysts named the threat TR/Spy.Remopid.A. The term "TR/" denotes a trojan horse that is able to spy out data, to violate your privacy or carry out unwanted modifications to the system.Detection will be added to our virus definition file (VDF) with one of the next updates.
Your assumption of Suspecting these Files malicious is right.
The Files are .net complied used for hooking ie capturing Key stokes and stealing Bank information.
The Working of these two Files is attached in Screen shots.