Does avast detect Ccleaner.exe malcode?

Viruses and worms
1

See: http://www.urlvoid.com/scan/s02.cba.pl/ for htxp://s02.cba.pl/pics_07_03_2013_jpeg.zip
https://www.virustotal.com/en/file/e0b6ba301dbd63234a5e247359c5fd1878d201a34738d068f1dea75d1e0a7de4/analysis/
Is this a packer identifier false detection?
File updated to virus AT avast dot com
What I think hindered the redirection is that you first get a

Wrong parameters

You have passed incorrect parameters. If you are trying to check URL, make sure it is correct.


and then you will get a redirection to the real malicious file.
Header returned by request for: -http://s02.cba.pl/pics_07_03_2013_jpeg.zip

HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Sat, 09 Mar 2013 16:37:05 GMT
Content-Type: text/html; charset=iso-8859-1
Content-Length: 250
Connection: close
Location: htxp://s02.cba.pl/pics_09_03_2013_jpeg.zip

The location line in the header above has redirected the request to: htxp://s02.cba.pl/pics_09_03_2013_jpeg.zip
→ {“timestamp”: “1362847128”, “sha256”: “b33b054c8ee28d1e78e0e68394a1bfbbfcda9c4ff7e688b33182fafdd6480e21”, “analysis_url”: “/en/url/b33b054c8ee28d1e78e0e68394a1bfbbfcda9c4ff7e688b33182fafdd6480e21/analysis/1362847128/”, “result”: 1, “verbose_msg”: “Invalid URL”}

polonus

2

Hi Damian :),if you look carefully at “Behavioral information” Ccleaner opens the mutex “ShimCacheMutex (successful)”.
Now let’s look at a 100% malicious file(i chose Dorkbot,you’ll see why.).
Check here https://www.virustotal.com/en/file/dbbf78cf454bed18ffd128cdefa2a22e0fe813e8f63548de5b495358c115a5cb/analysis/
And go check the behavioral information,do you see something similar?Yes i do, ShimCacheMutex (successful) .
Same thing happens here : https://www.virustotal.com/en/file/51100553d15597e9d0ca98aa0f3be3ab5a49c0ca10808456b7a92884296e1b68/analysis/ .
Also i would like to mention something,every DorkBot sample,creates a hardcoded process and inject its code there.Check this,
Created processes : C:\51100553d15597e9d0ca98aa0f3be3ab5a49c0ca10808456b7a92884296e1b68 (successful)
Code injections in the following processes :51100553d15597e9d0ca98aa0f3be3ab5a49c0ca10808456b7a92884296e1b68
As you can see it’s the same process.
I will provide you another sample, https://www.virustotal.com/en/file/5900c78c545fc84a75937a9646660aead15aa25aa263b41d16684d35a4a0cef4/analysis/ .
Check its behavioural information,you’ll see what i said above :slight_smile: .
To sum up,Ccleaner.exe is a dorkbot sample(possibly).

3

Hi Left123,

You know what you talk about, when you are discussing malware.
Thanks for sharing this with us. ShimCacheMutex is also part of the Google updater. Again mono culture biting us in the back.
See here under mutexes: http://www.softpanorama.org/Malware/Malware_defense_history/Ch11_data_stealing_trojans/Zoo/trojan_game_thief_win32.shtml
Also used in rootkits: http://bbs.360.cn/4071464/250257281.html
And in browser hacks in the pair:
Mutant \BaseNamedObjects\ShimCacheMutex
Section \BaseNamedObjects\ShimSharedMemory

polonus