Is this a real virus or just a PUP?

Heuristic flag for WS.Reputation.1 detected in one instance here: wXw.castlesoft.net/download/dictionary.exe
See: http://wepawet.iseclab.org/view.php?hash=746c128fd7755ece0d6ed5ba6f73aa7d&t=1302358672&type=js
qualified as suspicious - Anubis report: http://anubis.iseclab.org/?action=result&task_id=16aa33fc273baf1a4b14b1a9c8991d48f&format=html
Again there it says no threats could be detected,
see: htxp://jsunpack.jeek.org/dec/go?report=49e390080829d6895dc0ca93cb385b1629d21b97
(for the security aware, visit sandboxed and with script blocking enabled)
The file is a malware known as “CaM.Malware.Win32.PEx.Delphi.1008594529”. - 40191 source: nick=CRDF
Date Domain IP CC ASN Autonomous System Name Click Md5 for ThreatExpert Report
2011-04-01 wXw.castlesoft.net/download/dictionary.exe 217dot66dot226dot15 PS 15975 Palnet Communications (Hadara Tech) AS Number 8980ce008fd864b9ed1bbdbc5445f86b (source malc0de.com)
See:
http://www.virustotal.com/file-scan/report.html?id=130027af469aaf26aeaa7fc96e660e12272852e8e22318a9e585a388ae6b284b-1302060166
Heuristic detection, malware or PUP (riskware)? Googling for “CaM.Malware.Win32.PEx.Delphi” more leads to qualifications as riskware, PUP, remote admin tool etc. So avast could have detected this as Win32:PUP-gen

polonus

Well folks, it seems that this flag as WS.Reputation is based on users questioning the webreputation of the site in question or what is on there, similar site: htxp://ircinfo.ru/download/config-generator.exe
See: http://www.virustotal.com/latest-report.html?resource=6ad86721b23f727b16ec759a1f83efee
See: http://www.virustotal.com/file-scan/report.html?id=19ee18fd145a31a52343329d37b0ce79868dac65be3dbc14019dbddaafe3216a-1301760851
But this is not a site with riskware, but found to be dangerous here:
http://www.urlvoid.com/scan/ircinfo.ru
a site with many instances of IRC.BOT on it
hxtp://ircinfo.ru/download/pirc2_2.exe (Trojan.Zlob)

polonus

Zlob detected,i wouldn’t classify zlob as PUP.I am just happy that Zlob is no longer under development.
Regards

hmmmm…not detected here…

URLVoid - 6/10
http://vscan.novirusthanks.org/analysis/64b1d3c83339a0bd2ad7d68c1ca94ed2/cGlyYzItMi1leGU=/

VirusTotal seems to be down today…and everyone is trying to use jotti and virscan…so they are also down ;D or is it only me ::slight_smile:

Hi Pondus,

Internal service errors due to heavy loads, too busy there, probably. They are back at the moment, dictionairy.exe as malware is a worm, see: http://www.prevx.com/filenames/X3230575065581185308-X1/DICTIONARY.EXE.html
and if malware making it’s return from the year 2007…recent find reported here: http://forums.malwarebytes.org/index.php?showtopic=80195

polonus

This is in response to what polonus posted because for some very very strange reason I have something going on with my Avast. It is detecting very few infections, as well as the above files were not detected. I need to fix or ditch so if someone would be willing to assist me in this challenge; that would be awesome.

Hi Shaggie - what is the exact problem you have ?

Hi SHAGGIE,

Follow up essexboy’s instructions and let us see if you really had a malcode infection or what else could be the matter,

polonus