New spyeye detection...PA.exe

See scan here: http://wepawet.iseclab.org/view.php?hash=8f70f117881b8d2b8997b126eebfe055&t=1303161124&type=js
&
see, (here not detected),
http://vscan.urlvoid.com/file/e7f93f0d7106ff1b0534fbe28023138d/cGEtZXhl/

So far only detected by McAfee: http://www.virustotal.com/file-scan/report.html?id=9aa49286577dbab965bcd943c46b1def61458663c7ca26a67160d5665f35a256-1303160759
initial detection by crash101

Anubis analysis here: http://anubis.iseclab.org/?action=result&task_id=15d3689998382e11479d495ba7fc0c464

Report for file created here: http://www.threatexpert.com/report.aspx?md5=7054c771a6b1ed49390ee7a6a3e83e20

polonus

Malwarebytes got it - pa.exe - Trojan.Agent

Hi Pondus,

Thanks for reporting back. This was first held to be a test run for Spy-eye,
but as seen from the point of the analysis done at Anubis’s,
it is certainly a “winlock-trojan.ransom” variant
(also Merjidoc and Xilitol report this type of malware at VT’s).

As this type of malware is constantly being launched morphed to go under the anti-malware radar,
it can be best detected from observing the separate characteristics found through analysing,
e.g.: for pa.exe, mutexes, other executables etc.:

Three observations therefore:

See MD5 hashes for process pa.exe here:
http://www.pcpitstop.com/libraries/process/i/pa.exe.html

for 22CC6C32.exe, see: http://www.threatexpert.com/report.aspx?md5=7054c771a6b1ed49390ee7a6a3e83e20
and the link with Ransom.id here: http://vil.nai.com/vil/content/v_447482.htm

So Ransom.id must have been the reason why McAfee was able to first flag this malware,
hope next to MBAM others follow soon,

polonus

http://xylibox.blogspot.com/2011/04/trojanransom.html

Hi Left123,

Good write-up on this there. Thanks for the link. Now 5 detections for it at VT:
http://www.virustotal.com/file-scan/report.html?id=9aa49286577dbab965bcd943c46b1def61458663c7ca26a67160d5665f35a256-1303198021

Avast does not detect it so far,

polonus