Pondus
2
Malwarebytes got it - pa.exe - Trojan.Agent
Hi Pondus,
Thanks for reporting back. This was first held to be a test run for Spy-eye,
but as seen from the point of the analysis done at Anubis’s,
it is certainly a “winlock-trojan.ransom” variant
(also Merjidoc and Xilitol report this type of malware at VT’s).
As this type of malware is constantly being launched morphed to go under the anti-malware radar,
it can be best detected from observing the separate characteristics found through analysing,
e.g.: for pa.exe, mutexes, other executables etc.:
Three observations therefore:
See MD5 hashes for process pa.exe here:
http://www.pcpitstop.com/libraries/process/i/pa.exe.html
for 22CC6C32.exe, see: http://www.threatexpert.com/report.aspx?md5=7054c771a6b1ed49390ee7a6a3e83e20
and the link with Ransom.id here: http://vil.nai.com/vil/content/v_447482.htm
So Ransom.id must have been the reason why McAfee was able to first flag this malware,
hope next to MBAM others follow soon,
polonus
Hi Left123,
Good write-up on this there. Thanks for the link. Now 5 detections for it at VT:
http://www.virustotal.com/file-scan/report.html?id=9aa49286577dbab965bcd943c46b1def61458663c7ca26a67160d5665f35a256-1303198021
Avast does not detect it so far,
polonus