The file that is available at this link is not sandboxed or detected by avast!. http://fileham.com/ad/setup/exad016.exe

Virus Total Scan: hxxps://www.virustotal.com/de/file/b930594a81444fbffb4c75b310bc96998bbe018289f3935bb41e51f164c76966/analysis/1361821195/

This is definitely Adware. There is no reputation warning.

I am in the process of running it on my VM

I received this warning

This is the install screen

@ Steven Winderlich
Please ‘modify’ your post change the URL from http to hXXp, to break the link and avoid accidental exposure to suspect malware, thanks.

I think part of this problem is that virustotal can’t replicate all of the real-time avast functions like the behavior shield as in essexboy’s post…

O4 - HKLM..\Run: [FileHamBrowser] C:\Program Files\Fileham.com\FileHamBrowser\ÆÄÀÏÇÔŽ»ö±â.exe menu File not found C:\Documents and Settings\All Users\Start Menu\Programs\ÆÄÀÏÇÔ C:\Program Files\FileHam.com

These are the elements installed
I am going to reboot to see what happens next

Hi Steven Winderlich,

Make that link non-click-through with hxtp. This is unknown_file_FileHamBrowser/BrowserUninstall.ex-.
See: https://www.virustotal.com/nb/file/349220b2be2684675b81d1d9953f8eea12b38e49138d0c43ad5d8c1baafc8d44/analysis/
Avast may flag this upon running after download as riskware or PUP.
See: http://www.threatexpert.com/report.aspx?md5=c7774f488d6b0d587a94823de0ce9896
A lot of it has been closed: http://support.clean-mx.com/clean-mx/viruses.php?domain=fileham.com&sort=inetnum%20ASC
Closed 2013-02-16 23:14:29 after being 3676.7 hrs of activity…
See: http://anubis.iseclab.org/?action=result&task_id=1c911c60fa1aa8c142ddbac118b7153e0&format=html
Firekeeper alert for this Trojan.Agent./Gen-Banker
=== Triggered rule ===
alert (msg:“The address you tried to access points to a Malware. Please visit http://www.malwarepatrol.net for more information”; url_content:“htxp://fileham.com/”; reference:url,www.malwarepatrol.net; fid:340704; rev:20130225172726;)

=== Request URL ===
htxp://fileham.com/ad/setup/exad016.exe

polonus

It installs another browser, and does not appear to hijack IE or FF as I can see so far

It has an uninstall entry and uninstalls relatively cleanly

I feel this may just be another browser, that in this case is tailored towards Korean users

Hi essexboy,

Also consider this: http://google.com/safebrowsing/diagnostic?site=fileham.com/
And this: http://windowfin.com/bbs/board.php?bo_table=windowfin&wr_id=31410
and here: http://rightsecurity.blogspot.nl/2012/01/blog-post.html
But as I downloaded it with Malzilla and scanned with SAS (I just skimmed/scanned and never ran the executable), it detected Trojan,Agent/Gen-Banker, and even asked me to do a reboot to remove any further traces of it. There must be a generic detection pattern that both triggered SAS and my particular firekeeper IDS (with malwarepatrol latests installed),

polonus

I played around with it and nothing untoward happened apart from the fact that to run it you need to use the Korean language pack, so I guess no one who does not speak Korean will use it

Edit: I ran OTL ,AdwCleaner and Combofix on completion all clean apart from a folder remnant

Hi essexboy,

Trust your expertise in analyzing the download status. Again here I would play completely safe and classify it as riskware for the time being.
By the way urlquery dot net scan IDS flags an alert: http://urlquery.net/report.php?id=1123533

Damian

Yep would concur, running some remaining tests to be 100%

From another download link scanned I get: https://www.virustotal.com/nb/url/78eceba99b91021a29d23673d3daffffb9a07c6f2698cfcab47b77a44d6f42cb/analysis/1361829120/ and https://www.virustotal.com/nb/file/b930594a81444fbffb4c75b310bc96998bbe018289f3935bb41e51f164c76966/analysis/
Rather consitent results.
This is alos strange on the initial download link that Steven Winderlich provided: http://vurldissect.co.uk/default.asp?url=http%3A%2F%2Ffileham.com%2F&btnvURL=Dissect&selUAStr=1&selServer=1&ref= (vurldissect scans scans are being IP-monitored against abuse)

Page Title: No HTML title tags found Server Response: 200 [ OK ] Server Type: Apache Server IP: 115.71.7.14 115.71.7.15 115.71.7.16 115.71.7.17 115.71.7.11 115.71.7.12 115.71.7.13 IP PTR: IP does not appear to have a PTR record IP does not appear to have a PTR record IP does not appear to have a PTR record IP does not appear to have a PTR record IP does not appear to have a PTR record IP does not appear to have a PTR record IP does not appear to have a PTR record Links found?: 0 Scripts found?: 4 iFrames found?: 0 MD5: 49471e6d5bba1b2e268ba4a9dd86abb0 Dissected: This URL has been dissected 1 times Last Dissected: 2/25/2013 10:01:30 PM Link to this query: http://vurldissect.co.uk/?url=XXXXXX

polonus

Well I went on a clicking frenzy and nothing happened … All tools report clear

I have no response from Behavior Shield. And its right there in Programs list in Control Panel. And i have no Installation screen.

Comodo Instant: http://camas.comodo.com/cgi-bin/submit?file=b930594a81444fbffb4c75b310bc96998bbe018289f3935bb41e51f164c76966

Comodo File Intelligence: http://file-intelligence.comodo.com/windows-process-virus-malware/exe/exad016

Comodo File Vredict: http://v.comodo.com/Result.html?sha1=fc68a8bda37fbb73007e65de91be25d5509560ae&&query=0&&filename=exad016.exe

Threat Expert: http://www.threatexpert.com/report.aspx?md5=c7774f488d6b0d587a94823de0ce9896

I do have behaviour shield set to ask, due to the number of weird programmes I download

I also set them to ask. Well i am using modified settings.