Backdoor trojan found here:

Hi malware fighters,

Malware detected here: htxp://www.ideogramma.net/jaccise/full/J-Accise.exe
malcode known as: backdoor trojan…
See: http://wepawet.iseclab.org/view.php?hash=14ed47c73754259110886c7d044bcf4b&t=1275946171&type=js

polonus

Hi malware fighters,

Another one found on this Brazilian site:
danilodonadeli.kit.net
Domain Hash aaa66a8fbfcb9b5c0e6e4098d2a1ff24
IP Address 201.7.184.2
IP Hostname -
IP Country BR (Brazil)
AS Number 28604
AS Name TV GLOBO LTDA

Threat Name: PHP.Backdoor.Trojan
Location: htxp://www.danilodonadeli.kit.net/

Threat Name: PHP.Backdoor.Trojan
Location: htxp://www.danilodonadeli.kit.net/favicon.ico

Also detected here: http://www.mywot.com/en/scorecard/danilodonadeli.kit.net

polonus

VirusTotal - danilodonadeli.kit.net.htm - 3/41
http://www.virustotal.com/analisis/d3e4917e75abc2e9b2391cab1e54134f5be9074c097f9d2c9da74bad0bbb0de6-1276554027

VirusTotal - favicon.ico - 3/41
http://www.virustotal.com/analisis/d3e4917e75abc2e9b2391cab1e54134f5be9074c097f9d2c9da74bad0bbb0de6-1276554032

Hi Pondus,

Where is avast detection? We have to check again within a few days,

polonus

Hi malware fighters,

Another backdoor found on this Chinese site: Threat Name: Backdoor.Tidserv
Location: htxp://www.russianmomds.ru/dogma.exe
Active content was blocked due to digital signature violation
The violation is Missing Digital Signature

We never found it to be benign according to Wepawet

The last time we found it to be suspicious was at 2010-06-02 20:44:35.

The analyzed resource contains one or more syntax errors.
hxtp://www.russianmomds.ru/dogma.exe PE32 executable for MS Windows (GUI) Intel 80386 32-bit 35164a99caf83a240f302967b76c4d74

See:
http://www.virustotal.com/analisis/bd9bf9ebdaef2511cd684da0469ceb7d2840eef6764747d4e38720886511880b-1275987396
where avast does not detect it…
analysis here: htxp://jsunpack.jeek.org/dec/go?report=fae7cef75c70a450942d681a12b050fca3e0a6db
On the malware file read: http://www.prevx.com/filenames/X2126548755673220298-X1/DOGMA.EXE.html
http://www.threatexpert.com/report.aspx?md5=b9ba7af9ce0fb149a4d14b664ecdaffe
cloaked malware…

polonus

where avast does not detect it..
updated scan......different md5 then the one you show...?

VirusTotal - dogma.exe - 14/41
http://www.virustotal.com/analisis/56e43a91ea3870e162ab6da98d32381433799c6f9f5ec8d145094d158eb0e124-1276727175

Hi Pondus,

Attentively flagged, now waiting for a better detection rate on the Malscript malware in the other thread,
just over 38% detection rate for avast now…
http://forum.avast.com/index.php?topic=60161.msg513406#msg513406

polonus