flvdirect.exe

my wife downloaded that, not sure how, came from a mail I think, she probably clicked on an attachment randomly ::slight_smile: I found it in a shared folder, knew I never put it there, and it disappeared from view as soon as I clicked on it (I know I shouldn’t have clicked, I should have scanned it first ::slight_smile: ). Okay I then found it in Chest on her laptop, explaining how it disappeared as I said.
One question I have here is why wasn’t it scanned and sent to Chest immediately when it was saved to disk in the first place. That’s an executable, so why was it ignored until it got manually executed ??? (not mentioning that the webshield didn’t stop it).

just for info: the file was called flvdirect.exe
info from prevx:
http://www.prevx.com/filenames/X2669713580830956212-X1/FLVDIRECT.EXE.html

File Behavior

FLVDIRECT.EXE has been seen to perform the following behavior:

Writes to another Process’s Virtual Memory (Process Hijacking)
This process creates other processes on disk
Executes a Process
Registers a Dynamic Link Library File
Creates new folders on the system
This Process Deletes Other Processes From Disk
Injects code into other processes
Found on infected systems and resists interrogation by security products
FLVDIRECT.EXE has been the subject of the following behavior:

Created as a process on disk
Executed as a Process
Has code inserted into its Virtual Memory space by other programs
Terminated as a Process

edit: forgot to mention I submitted it to avast from the Chest interface.
more here:
https://www.virustotal.com/analisis/31d8d11054490283cc52970a02d197e37ac68bd1b910d5fec587c73349be3e3c-1273749497

original site where the malware got downloaded (through using their services…):
hxxp://www.123greetingcard.com/

http://forum.avast.com/index.php?topic=58861.0

thanks :wink: at least it was sent to chest here, but just after clicking. I’d like to know what they mean by “resident shield” sometimes ::slight_smile:

bump:
1 I’d like to know why the web shield didn’t intercept the file and abort the download connection
2 I’d like to know why a malicious executable isn’t sent to Chest (by the file shield) as soon as it’s saved to disk

                                  thank you :)

ps: for the fs behavior, may be because it’s already blocked from self-execution by Windows?

bump:

what is the set of default extensions included when the file system shield scans on writing? doesn’t include *.exe ???

Wasn’t it started being detected by VPS 100513-1?
I.e. at the time the file was downloaded / saved to disk, it wasn’t being detected yet…

no it was only detected when I clicked on it (it’s pure hazard if I found it) and that was earlier today with 100513-0. And I’m sure it was downloaded today.

and the problem is that I have no way atm to simulate a new download of it (to compare with the new database behavior); if I restore it from Chest it will just be restored to a folder of my choice and that’s it, until I either execute it or scan it.
I might do that later from the mail it came from (not my mail box and not on my laptop)…after removing it from Chest there first to make sure there’s no old detection referred to…

FLVdirect.exe is a quite old adware, I found it a few months ago, and so I sent for analysis. Yet still without being detected by avast?

edit: Ok, avast is detecting it.

no no it is detected by the file system shield, but only once you click on it, not when first saved to disk during the download (and of course the webshield doesn’t detect it ).

Hi malware fighters,

Analysis here: http://www.threatexpert.com/report.aspx?md5=74c836650e57b55b107fa506ba116858

and another flaw of the malcode:
http://www.threatexpert.com/report.aspx?md5=e226159129f6da57c17b7846b267cd73

polonus

thanks :wink:

okay solved ;D >>> two alerts when attempting to download it from the original web site hxxp://www.flvdirect.com/ (I thought it was bundled to another site with subscription, that’s why I didn’t try to find the file before).
1st alert from the web shield, but the file is still downloaded, and then blocked automatically by the file system shield. Wondering why the web shield doesn’t block every thing, but fine, that’s better than the previous behavior. See screen shots

ps: this was in Chrome, and the behavior in Firefox is a bit different >>> first similar web shield alert, and second alert from the file shield, very quickly, not enough time to click on save. Also, that’s a Windows process being involved when the detection is done from Firefox.

so one last question remains: why doesn’t the web shield block the download too ???

True, Network Shield recently detected a malicious website, and I had access. Without block. I think it should be a bug in the current version. 5.0.545