Is this undetected malware? [SOLVED]

Viruses and worms
1

Hi forum friends,

See this scan, which is clean: http://vscan.urlvoid.com/analysis/1db64dd315f015a05f964a95e6f1f0f8/bXVsdGktYXYtZXhl/
Given as goodware here: http://www.virustotal.com/file-scan/report.html?id=60fe2cf9d4f9af947f07b3b25bc8f1219af7bc5a141368c03de5d224dca0a0da-1322638534
Given as undetected here: http://camas.comodo.com/cgi-bin/submit?file=60fe2cf9d4f9af947f07b3b25bc8f1219af7bc5a141368c03de5d224dca0a0da
See Anubis analysis here: http://anubis.iseclab.org/?action=result&task_id=1d967eef0778e8b341d9360f371646cd
0n Anubis analysis we find a unnamed file 0x00120028 Performs File Modification and Destruction - WDUF49AN\readme[1].exe typical for Zeus…

polonus

2

Hello,
the link to Anubis page doesn’t work. I didn’t observe the described behavior:

0n Anubis analysis we find a unnamed file 0x00120028 Performs File Modification and Destruction - WDUF49AN\readme[1].exe typical for Zeus...

It just unpacks files and opens some pdf help file.

Milos

3

The Anubis analysis is here: http://anubis.iseclab.org/?action=result&task_id=19afc46e44e047ee4719cd04f8228a636
The unknown executable comes from: -http://pctipp.ch/ds/28400/28470/Multi_AV.exe
date 2011-11-30 00:00:29

po;onus

4

ThreatExpert - Multi_AV.exe
http://www.threatexpert.com/report.aspx?md5=1db64dd315f015a05f964a95e6f1f0f8

5

Hi Pondus,

Thank you for diving into this. I also found this scan with the MD5 hash of it: http://f.virscan.org/EUC.EXE.html
Here the same link to it is given: http://www.wilderssecurity.com/showthread.php?t=286907
When I analyze with jsunpack I stumble upon this: -qs.wemfbox.ch/?1
See: -http://qs.wemfbox.ch/?microsof//CP//MSNDECH/home found via: http://www.malware-control.com/statics-pages/09109bb7ec2ebe5a81c422c0a440320e.php

And more here: -www.pctipp.ch/js/domtab.js suspicious
[suspicious:2] (ipaddr:212.98.39.7) (script) -www.pctipp.ch/js/domtab.js
status: (referer=-www.pctipp.ch/downloads/sicherheit/35905/tool.html)saved 9299 bytes 3b8a1b4bf4fa89147a4d63c5a439344fc5a1e66f
info: [decodingLevel=0] found JavaScript
suspicious: maxruntime exceeded 10 seconds (incomplete) 0 bytes

polonus

6

Norman lab

Multi_AV.exe : Clean!
7

Hi Pondus,

Thanks, so we can reach the conclusion that this is goodware,

polonus