Malware/Virus report

Hello,

I have been working with several customer pc’s who got infected by clicking on msn bot links
The malware installs itself to c:\windows with the name rndll.exe
As soon as rndll.exe runs it will check for G:\ (usb stick) and if present it will install an autorun.inf script and download a virus to it.
Avast does not report rndll.exe as malware/virus
Avast recognize the virus itself as being VBS:Malware-gen but cannot delete it because rndll.exe keeps replacing it.

Detailed info:

rndll.exe logs in msn accounts and sends a message to all contacts
“check your pictures haha http://www-photos***.com/photo.php?=xxxxx@hotmail.com” (address is edited to prevent accidents)
After the victim clicks the link rndll.exe is downloaded to c:\windows, it is hidden as a system file so you have to enable view system files in explorer

rndll.exe adds the following reg keys:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run]
@=“”
“Firevall Administrating”=“rndll.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Firevall Administrating]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“rndll”
“hkey”=“HKLM”
“command”=“rndll.exe”
“inimapping”=“0”

the address http://www-photos***.com/photo.php?=xxxxx@hotmail.com points to 68.180.151.76

Detailed info about 68.180.151.76:
ip is recorded for escrow fraud:
http://escrow-fraud.com/search.php?&all=&dir=desc&start=50&sf=i
http://escrow-fraud.com/index.php?page=gallery&layout=99

other sites hosted on this ip:
http://onsamehost.com/68.180.151.76/

ip listed as malware by malwareurl.com team:
http://www.malwareurl.com/listing.php?domain=designaccents.biz

siteadvisor.com notes about the ip:
http://www.siteadvisor.com/sites/webbanker-cua-au.com/postid/?p=2464957

I do have the complete virus in a rar file including the reg keys
(rndll.exe, autorun.inf, –¼‡‘Š•†‘Í€ŒŽ)
I can upload it if requested by an avast representative

Greets

Hello,

Since there is no reply on this topic, and no request for me to provide the virus files i wonder if its usefull to report viruses…
I still want to see something done about avast not detecting rndll, afterall i and a million others use or paid this product.
Also, avast is unable to remove this virus. not even with a boot time scan.

Greetings

Hi, sorry for the delay.
The forum is mainly frequented by users like myself and visits from the company employees are often a little reduced on the weekends.

Please email the sample to virus@avast.com in a zipped (or rar) file and password protect it. Include the password in the body of the text. It may also be worthwhile to include the URL to this forum topic.

The file can also be scanned online at Virus Total -multi Av scanning, please post a link to the scan result following the scan, which usually takes 1-4minutes, depending on server load.

If the virus is present in the chest it can also be sent this way. The virus will be silently uploaded to Alwil during the next scheduled or manual VPS update.

Does Avast detect the virus on a boot scan, but it keeps re-appearing, or does it fail to detect it?
You could try MBAM (a very good demand antimalware scanner) to see if it can be thus detected and removed, if it has not been already removed manually.

Autorun Eater is a useful tool for helping prevent the spread of malware via USB drives. Hope this helps. Welcome to the forum.