See: https://www.virustotal.com/nl/url/1ea43df4fc28d4c2b5d52b90558095616c5c49f13e2ec681f71193918fd0ecc3/analysis/1388082510/
see: https://www.virustotal.com/nl/file/7ff472619079f9ac41f44889e969c5f9f9c2207eccf9c29ff87f52cc8919d8d4/analysis/1388082519/
and http://app.webinspector.com/public/tasks/16620954
What is out there? unknown_file_$INSTDIR/GreenDou.exe URL subjected to threat C2/Generic-A.
Nothing here: http://urlquery.net/report.php?id=8561896
But flags here: http://urlquery.net/report.php?id=8547992
Analysis see: http://anubis.iseclab.org/?action=result&task_id=1be84ba86c17f9e74b9d5344bfa163e06&format=html
For the download site, consider: http://www.scumware.org/report/213.242.77.71 and http://www.urlvoid.com/ip/113.107.42.55/

pol

Kaspersky is detecting it as UDS:Dangerous.Object.Multi.Generic.

Undetected by Avast.

ThreatExpert http://www.threatexpert.com/report.aspx?md5=825b710cc6da5e05c752bbab4b04c731

Malwr: https://malwr.com/analysis/YWVjZWRkODQyZWRmNGY3ZjhkMWNlYmMyNjA0NGZhOWI/

Very interesting result.

That homepage. I’ve seen it before.

also, Is this a a 0access rootkit?

I saw that webpage also before. Common with Adware and PUPs.

According to Virustotal this is an Generic Trojan.

After execution its downloading something in the background and BOTH files are running in memory then.

File is still being processed by Kaspersky Lab.

Hi Steven Winderlich, alan1998 and Pondus,

Maybe we have stumbled onto something suspicious here, time to forward to avast for detection results, I guess,
related to this down loader: http://camas.comodo.com/cgi-bin/submit?file=308a13460daa2e6cb624bf91d08391d2e2a457dee57f31f9ebd8d3e77b200fe8

Damian

I reported the file via quarantine to Avast Research Lab.

Will see how they do.

Hi Steven Winderlich,

The

sample_1.exe&ini=open.ini

makes it suspicious looking enough to qualify as malware.
See: Up(nil): unknown_file_$INSTDIR/GreenDou.exe APNIC CN abuse at gddc dot com dot cn 113.107.56.85 to 113.107.56.85 qiniudn dot com htxp://vvdown.u.qiniudn.com/exe/0.exe?download/av2015-202-12554.exe → http://support.clean-mx.de/clean-mx/viruses?id=17409280
→ https://www.virustotal.com/en/file/308a13460daa2e6cb624bf91d08391d2e2a457dee57f31f9ebd8d3e77b200fe8/analysis/
Generic Genome Downloader variant, there also missed by avast! 29 out of 47 detect :o

polonus

Yep.

Cannot give a new VT scan cause file scanner is not working at the moment, URL Scan is working, also last analysis.

The Greendeu.exe file is loading and running a ton of dll files as you can see under behavioral analysis in Malwr.

Hi Steven Winderlich,

As far as I can establish it modifies registry settings to prevent anti-virus and firewall applications from functioning correctly.
A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment.
Good you guys responded to me initially reporting,

Damian

No problem.

Thats the only good thing we can do.

Everything else is Avasts job.

With an Mac you dont really need to bother about these threats, but there are also Mac threats out there.

It is a randomized download and this should also be considered: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Generic-A/detailed-analysis.aspx
The urlquery dot net report should flag this by an IDS alert,

polonus