I may have found a new virus

Hello

I may have found a new virus. It is a kind of rootkit : the file and the Run key does not appears in windows API. I did seen it with Sysinternals tools, procesxp and rootikit revealer. Then i’ve been able to delete it, but I made a copy of it.

I checked the file with Avast, TrendMicro on-line scanner and Antivir on another computer : the file is not detected as virus. This is what surprised me.

But it is clearly one, as it opens IE windows displaying ads (mostly porn and casinos).

I could send if you like.

to send correctly ( so av filter doesnt delete it) you must zip it and apply password (virus) and send to virus@avast.com with an explanation or reference to this thread.
good luck

Before sending the file to virus[at]avast[dot]com (like Cloussau said) you may want to upload the file to VirusTotal to see if other AVs detect the file a virus :wink: If the file is detected and send it to Alwil.
Although if the file is a rootkit I doubt that it will be added to the VPS, because avast! still cannot detect rootkits :stuck_out_tongue:

Thank you

The virustotal server is in “high payload” so i sent it by mail with hidden copy to virustotal and avast, the whole thing in a password protected zip file.

Plus, the binary is in the queue for testing, as i’m curious.

Regards

The file is not new. It was seen only by AVG (Win32/CryptExe) and Panda (Adware/NaviPromo) and look suspicious to CAT-QuickHeal ( (Suspicious) - DNAScan).

Thanks for the URL.

Hi svart,

Here is the technical information:
http://www.sophos.com/security/analyses/w32sdbotaec.html

polonus

@Polonus : No, it’s not this one. It isn’t called windir32, and is not a trojan, but display ads and record navigation habits.

Avira already told me that the signature is new to them and will be added as TR/Agent.256512

The point is Avast does not detect it : I found another one this morning, and Avast didn’t reacted at all.

I sent the email to virus at avast.com the 10/2/2006

Hi svart,

Thank you for the heads up, and keep us informed of the further findings, and eventualky the technical info on this “beast”.

polonus