new trojan horse!

Viruses and worms
1

Hi!
i found a new trojan horse that is completly undetected by avast!
http://rapidshare.de/files/3600[broken]3457/Elite-Trojan.exe.html

2

Hi fritzl,

You should not put up links to live malware, some unexperienced might be tempted to click it.
I get the following leaks:

Leaks in window 0x32b22a0:
[+] [leaked object] (3145ba8) = [object Object]
[+] observe (3145bb8, chrome://safe/content/framework.js, 1060-1078) = function (aSubject, aTopic, aData) {
try {
item = aSubject.QueryInterface(Components.interfaces.nsIUpdateItem);
if (item.id != “{1650a312-02bc-40ee-977e-83f158701739}”) {
return;
}
if (aData == “item-uninstalled”) {
byebye = true;
var pref = Components.classes[‘@mozilla.org/preferences-service;1’].getService(Components.interfaces.nsIPrefBranch);
var firstInstall = false;
try {
firstInstall = pref.getBoolPref(“extensions.safe.firstinstall”);
} catch (ein) {
}
if (!firstInstall) {
pref.setBoolPref(“extensions.safe.uninstalled”, true);
window.open(“http://www.siteadvisor.com/ffuninstall.html?aff_id=” + getAffid());
}
}
} catch (e) {
}
}
prototype (164b928) = [object Object]
[+] [leaked object] (2022188) = [object Object]
[+] observe (2022190, chrome://switchproxy/content/proxy.js, 76-76) = function (subject, topic, data) {
switchproxy_populateList();
}
prototype (1ca68d8) = [object Object]
[+] [leaked object] (329c208) = [object Object]
[+] observe (329c210, chrome://downbar/content/downbaroverlay.js, 234-352) = function (subject, topic, state) {
var db_dl = subject.QueryInterface(Components.interfaces.nsIDownload);
var elmpath = db_dl.targetFile.path;
var fixedelmpath = elmpath.replace(/\/g, “\\”);
fixedelmpath = fixedelmpath.replace(/'/g, “\'”);
var db_fileext = elmpath.split(“.”).pop().toLowerCase();
window.setTimeout(“db_updateMini()”, 444);
db_updateProgressNow();
if (topic == “dl-start”) {
for (var i = 0; i <= db_ignoreList.length; ++i) {
if (db_fileext == db_ignoreList[i]) {
return;
}
}
var rdf = Components.classes[‘@mozilla.org/rdf/rdf-service;1’].getService(Components.interfaces.nsIRDFService);
var intNode = rdf.GetIntLiteral(1);
db_setRDFProperty(elmpath, “DownbarShow”, intNode);
db_startUpdateDLrepeat(elmpath);
document.getElementById(“downbar”).hidden = false;
}
if (topic == “dl-done”) {
var aElem = document.getElementById(elmpath);
try {
var clearTime = db_pref.getIntPref(“downbar.function.timeToClear”);
var shouldScan = db_pref.getBoolPref(“downbar.function.virusScan”);
} catch (e) {
}
if (shouldScan) {
var wm = Components.classes[‘@mozilla.org/appshell/window-mediator;1’].getService(Components.interfaces.nsIWindowMediator);
if (wm.getMostRecentWindow(“navigator:browser”) != window) {
return;
}
for (var i = 0; i <= db_excludeList.length; ++i) {
if (db_fileext == db_excludeList[i]) {
return;
}
}
try {
var AVProgLoc = db_pref.getCharPref(“downbar.function.virusLoc”);
var AVArgs = db_pref.getCharPref(“downbar.function.virusArgs”);
var AVExecFile = Components.classes[‘@mozilla.org/file/local;1’].createInstance(Components.interfaces.nsILocalFile);
var process = Components.classes[‘@mozilla.org/process/util;1’].createInstance(Components.interfaces.nsIProcess);
var args = AVArgs.split(" “);
for (var i = 0; i < args.length; ++i) {
args[i] = args[i].replace(/%1/g, elmpath);
args[i] = args[i].replace(/[Path]/g, elmpath);
}
AVExecFile.initWithPath(AVProgLoc);
if (AVExecFile.exists()) {
process.init(AVExecFile);
process.run(false, args, args.length);
} else {
var db_notFound = db_strings.getString(“AVnotFound”);
alert(db_notFound + AVProgLoc);
}
} catch (e) {
var db_failedAV = db_strings.getString(“failedAV”);
alert(db_failedAV);
return;
}
}
var autoClear = false;
if (db_clearList[0] == “all” | db_clearList[0] == “*”) {
autoClear = true;
} else {
for (var i = 0; i <= db_clearList.length; ++i) {
if (db_fileext == db_clearList[i]) {
autoClear = true;
}
}
}
if (autoClear) {
window.setTimeout((function () {db_animateDecide(elmpath, “clear”, {shiftKey:false});}), clearTime * 1000);
}
}
}
prototype (1f0c1a0) = [object Object]
[+] [leaked object] (329c258) = [object Object]
[+] observe (329c260, chrome://downbar/content/downbaroverlay.js, 1771-1791) = function (subject, topic, state) {
if (topic == “quit-application-granted”) {
try {
var launchDLWin = db_pref.getBoolPref(“downbar.function.launchOnClose”);
var clearOnClose = db_pref.getBoolPref(“downbar.function.clearOnClose”);
} catch (e) {
}
if (launchDLWin && db_gDownloadManager.activeDownloadCount > 0) {
var dlWin = window.open(“chrome://mozapps/content/downloads/downloads.xul”, “_blank”, “chrome,dialog=no,resizable”);
dlWin.tryToClose = (function () {return false;});
}
db_trimHistory();
if (clearOnClose) {
db_clearAll();
}
}
}
prototype (1f0cdf0) = [object Object]
[+] [leaked object] (2022200) = [object Object]
[+] observe (2022210, chrome://switchproxy/content/proxy.js, 79-79) = function (subject, topic, data) {
switchproxy_showMenus(false);
}
prototype (1f0cec0) = [object Object]
[+] [leaked object] (258a5d8, chrome://noscript/content/noscriptOverlay.js, 205-244) = function (ev) {
const ns = noscriptOverlay.ns;
const lm = ns.lookupMethod;
var a = ev.target;
while (!(a instanceof HTMLAnchorElement || a instanceof HTMLMapElement)) {
if (!(a = a.parentNode)) {
return;
}
}
const getAttr = lm(a, “getAttribute”);
const setAttr = lm(a, “setAttribute”);
const href = getAttr(“href”);
if (ns.getPref(“noping”, true)) {
var ping = getAttr(“ping”);
if (ping) {
lm(a, “removeAttribute”)(“ping”);
setAttr(“noping”, ping);
}
}
var jsURL;
if (href) {
jsURL = href.toLowerCase().indexOf(“javascript:”) == 0;
if (!(jsURL || href.indexOf(”#") == 0)) {
return;
}
} else {
jsURL = false;
}
var onclick = getAttr(“onclick”);
var fixedHref = fixedHref = (onclick && noscriptOverlay.extractLink(onclick)) ||
(jsURL && noscriptOverlay.extractLink(href)) || “”;
if (fixedHref) {
setAttr(“href”, fixedHref);
var title = getAttr(“title”);
setAttr(“title”, title ? "[js] " + title : (onclick || “”) + " " + href);
}
}
prototype (164aab8) = [object Object]

The DrWeb av link checker gives the link as: clean

polonus

3

Dr. Web does not detect it… or maybe it’s ‘protected’ by rapidshare and only downloading the file will be possible to analyse it ::slight_smile:

4

sure u cant detect it cause its a non-public trojan horse. that means that only a short number of people have it. i just got it from a friend who doesnt like the guy who wrote it :wink:

5

Why don’t you send it to virus@avast.com and help us to improve detection :wink:

6

ok. i thought when i show it here avast will detect it :slight_smile: