PAK_Generic.001 - Is uharc.ex- malware or a generic find?

See: http://www.virustotal.com/url-scan/report.html?id=3ce449ccc678ab0b5a8e561b323f218b-1324474343
and
http://www.virustotal.com/file-scan/report.html?id=738456acb566c044033deade90aa79f2628cfc913abe7137b5de1c399fe58631-1324478018
http://camas.comodo.com/cgi-bin/submit?file=d0ac1fe496f6f90d965d1b658329483620a279c6bba3b1f667392b069a1f993e
See:
=http://180.113.179.100/WIN32.EXE - archive RAR

=http://180.113.179.100/WIN32.EXE/UHARC.exe packed by UPX

=http://180.113.179.100/WIN32.EXE/UHARC.exe packed by PESTUB

=http://180.113.179.100/WIN32.EXE/UHARC.exe -
=http://180.113.179.100/WIN32.EXE/file.uha -
=http://180.113.179.100/WIN32.EXE -
See: http://anubis.iseclab.org/?action=result&task_id=14ce4aaa6e837532485f7f03a448ac12a

Has trojan payload, heap corruption in msvcr80.dll & RAT characteristics,

Consider this info: http://www.computer-support.nl/Systeemtaken/taakinfo/65813/Uharc.exe/
or for English/American users:
http://www.backgroundtask.eu/Systeemtaken/taakinfo/65813/Uharc.exe/
see: http://www.runscanner.net/lib/uharc.exe.html
see: http://f.virscan.org/uharc.exe.html

polonus

Norman sandbox - -http://180.113.179.100/WIN32.EXE
WIN32.EXE : Not detected by Sandbox (Signature: NO_VIRUS)

[ DetectionInfo ]
* Filename: C:\analyzer\scan\WIN32.EXE.
* Sandbox name: NO_MALWARE
* Signature name: NO_VIRUS.
* Compressed: NO.
* TLS hooks: NO.
* Executable type: Application.
* Executable file structure: OK.
* Filetype: PE_I386.

[ General information ]
* Decompressing UPX3.
* File length: 324522 bytes.
* MD5 hash: fc841cdc6d09e3638e40b9c32b7d0cec.
* SHA1 hash: f74de43c0988f160f1a310f308da631a0ad3ee60.

[ Changes to filesystem ]
* Creates directory C:.
* Creates directory C:\WINDOWS.
* Creates directory C:\WINDOWS\TEMP.
* Creates directory C:\WINDOWS\TEMP\RarSFX0.
* Creates file C:\WINDOWS\TEMP\RarSFX0__tmp_rar_sfx_access_check_55378667.
* Deletes file C:\WINDOWS\TEMP\RarSFX0__tmp_rar_sfx_access_check_55378667.
* Creates file C:\WINDOWS\TEMP\RarSFX0\UHARC.exe.
* Creates file C:\WINDOWS\TEMP\RarSFX0\file.uha.

[ Process/window information ]
* Creates a window with caption WinRAR \xea\xe3\x8b\x87\xf6 and classname #32770.
* Creates dialog control (static) with id 108 and caption .
* Creates dialog control (static) with id 101 and caption \xee\x07\x87\xf69(&D).
* Creates dialog control (combobox) with id 102 and caption .
* Creates dialog control (button) with id 103 and caption O\xc8(&W)…
* Pressing button with id 1.
* Attempts to (null) C:\WINDOWS\TE.
* Attempts to (null) uharc.exe e file.uha.
* Creates process “uharc.exe”.

[ Signature Scanning ]
* C:\WINDOWS\TEMP\RarSFX0\UHARC.exe (111104 bytes) : no signature detection.
* C:\WINDOWS\TEMP\RarSFX0\file.uha (118440 bytes) : no signature detection.

Malwarebytes detect it as - Trojan.Serverstart
SuperAntiSpyware does not detect

ThreatExpert
http://www.threatexpert.com/report.aspx?md5=fc841cdc6d09e3638e40b9c32b7d0cec

Avast already defines

http://online.us.drweb.com/cache/?i=847ca5c4ab6265df3057e300f96e6f28

WIN32.EXE packed by NSPACK

WIN32.EXE - archive CAB

WIN32.EXE/Rmqub.exe packed by ASPACK

WIN32.EXE/Rmqub.exe infected with Trojan.DownLoader5.6538

@Dim@rik,

Well thanks for verifying,

polonus

UHARC.exe

Sent to 2 laboratories … Avast and DrWeb, look at what analysts say.

Sent to 2 laboratories ... Avast......
your late ;D

;D I already knew … ehhh

Hi Pondus and Dim@rik,

Anyway with you two around we know for sure the labs will have all the samples,

polonus

SOPHOS lab…quick as usuall :wink:

WIN32.EXE -- identity created/updated (New detection Troj/Zegost-R)

Norman

This file is multi-compressed file. Firstly compressed with SFX and after that compressed with UHARC Compresses. Actual compressed file is already detected by Norman. Detection on this archive may lead to FP. Actual Win32.exe is detected as W32/Packed_NSPack.A.

Nice find!

DrWeb lab…

WIN32.EXE - Trojan.MulDrop3.23120 http://vms.drweb.com/virus/?i=1690824
MD5: 4c1ce091c5dfe58b2509134a8cafaf56

UHARC.exe - Sent you the file is located in the base of trusted (clean) files Dr.Web and not a threat.
MD5: 50ce184e4cf489dac8b75a6023f67020