cp-bat not detected by avast as Win32/TrojanDownloader.Agent.QSW [SOLVED]

See: http://www.virustotal.com/file-scan/report.html?id=29d7ba08443fd5cea16d4ab4fbb1991bfd723619e0018e9316ecf0dbf08d25b4-1303552520 11/40 (28%) detected malware
See URL & Link Scan: http://vscan.urlvoid.com/file/25c06c4384c428ce25ba1660c41d30fd/Y3AtYmF0/
Comodo detects: Comodo 23/04/2011 4.0 as TrojWare.Win32.Trojan.Agent.Gen
See: hxtp://jsunpack.jeek.org/dec/go?report=018fa87bb681f64906828d72bbdc9ed2c881a7a8
(visit above link only when security aware, sandboxed and with ample script protection)

Sent to virus AT avast dot com

polonus

well that was quick ;D
http://www.virustotal.com/file-scan/report.html?id=29d7ba08443fd5cea16d4ab4fbb1991bfd723619e0018e9316ecf0dbf08d25b4-1303563022

Hi Pondus,

Amazing, glad to be able to add [SOLVED]

polonus

cp.bat
http://www.threatexpert.com/report.aspx?md5=25c06c4384c428ce25ba1660c41d30fd

cp.bat will try connecting here 195.122.131.2 and download this ( travel.jpg )
http://www.threatexpert.com/report.aspx?md5=a2835db789c7bb13fe7545cd67e38bf3

travel.jpg is detected by avast
http://www.virustotal.com/file-scan/report.html?id=1d2f322c2a026cc10d4255a3262bb2cfdadedc90b767fc9036902a33e246df92-1303563372

Hi Pondus,

Thanks for the additional info on that malware domain, not much responding there now… see: htxp://www.malwaregroup.com/Ipaddresses/details/195.122.131.2

Analyzing the found malcode one step further could bring you additional results,
and this is very rewarding to the analyst…

polonus

this is where it is located link removed and still there

Hi Pondus,

This link there is supposed to be non-responding: htxp://rapidshare.com/files/448009390/ico66
That was this: http://www.threatexpert.com/report.aspx?md5=b168a55120bbc92939f3603b8076910e
and the VT scan was: http://www.virustotal.com/file-scan/report.html?id=9a6f3dcce2f20ef990bca5799c4d1186552ddeb0c9cb39c0cff7a28d203a0274-1302214248
avast detects as Win32:Kryptik-AFU

polonus

htxp://rapidshare.com/files/448009390/ico66
The file is no longer available at rapidshare ....

anyway they are all detected now :wink: