system
781
system
782
PowerBackupandRestoreSetup Rogue as given here:
https://www.virustotal.com/file/0eb6c55cf33e5eb5df9421668e053492/analysis/
See: http://zulu.zscaler.com/submission/show/86fe042ecff6fb676437e9aea6199675-1337848118
Detection missed!
reported to avast! with the link to sites hosting malware 
Uploading sampe to MBAM now ;D
Hi true indian,
Again a questionable one as I will explain below.
Given as non-malicious here: htxp://www.isthisfilesafe.com/md5/0EB6C55CF33E5EB5DF9421668E053492_details.aspx
Maybe a detectionwas flagged because the program is protected against reverse engineering with modern-wizard.bmp, which some scanners
will flag as a possible malware packer, but actually comes virusfree, and because of the presence of "checkver104.exe
& ioSpecial.ini / silent installer also sometimes flagged, depending on the location of it.
Scanned htxp://www.applicationbox.info/PowerBackupandRestoreSetup.exe with DrWeb’s oneline check turns up these results,
at some occasions commented by me at the end of the scan lines…
Engine version: 7.0.2.4281
Total virus-finding records: 2874792
File size: 962.25 KB
File MD5: 0eb6c55cf33e5eb5df9421668e053492
htxp://www.applicationbox.info/PowerBackupandRestoreSetup.exe - archive NSIS (NSIS packer identified by Fprot packer identifier)
htxp://www.applicationbox.info/PowerBackupandRestoreSetup.exe/script.bin - Ok
htxp://www.applicationbox.info/PowerBackupandRestoreSetup.exe/=9A=80\ioSpecial.ini - Ok
htxp://www.applicationbox.info/PowerBackupandRestoreSetup.exe/=9A=80\modern-wizard.bmp - Ok
htxp://www.applicationbox.info/PowerBackupandRestoreSetup.exe/AutoBackup.exe - Ok
htxp://www.applicationbox.info/PowerBackupandRestoreSetup.exe/Backup.dll - Ok
htxp://www.applicationbox.info/PowerBackupandRestoreSetup.exe/FileBackup.dll - Ok
htxp://www.applicationbox.info/PowerBackupandRestoreSetup.exe/FolderTree.dll - Ok (validity should be checked)
htxp://www.applicationbox.info/PowerBackupandRestoreSetup.exe/IrisSkin2.dll - Ok (Sunisoft - safe)
htxp://www.applicationbox.info/PowerBackupandRestoreSetup.exe/LogViewer.exe - Ok (- Module’
htxp://www.applicationbox.info/PowerBackupandRestoreSetup.exe/PowerBackupandRestore.exe - Ok
htxp://www.applicationbox.info/PowerBackupandRestoreSetup.exe/SimpleSync.dll - Ok (location should be verified)
htxp://www.applicationbox.info/PowerBackupandRestoreSetup.exe/CheckVer104.exe - archive BINARYRES
htxp://www.applicationbox.info/PowerBackupandRestoreSetup.exe/CheckVer104.exe/data001 - Ok
htxp://www.applicationbox.info/PowerBackupandRestoreSetup.exe/CheckVer104.exe/data002 - archive JS-HTML
htxp://www.applicationbox.info/PowerBackupandRestoreSetup.exe/CheckVer104.exe/data002/JSTAG_1[9][8c] - Ok
htxp://www.applicationbox.info/PowerBackupandRestoreSetup.exe/CheckVer104.exe/data002 - Ok
htxp://www.applicationbox.info/PowerBackupandRestoreSetup.exe/CheckVer104.exe - Ok
htxp://www.applicationbox.info/PowerBackupandRestoreSetup.exe/=9A=80\iOClean.ini - Ok / silent installer, could evoke Sandbox alert
htxp://www.applicationbox.info/PowerBackupandRestoreSetup.exe/=9A=80\InstallOptions.dll - Ok
htxp://www.applicationbox.info/PowerBackupandRestoreSetup.exe/=9A=80\ExecDos.dll - Ok
hxtp://www.applicationbox.info/PowerBackupandRestoreSetup.exe/=9A=80\System.dll - Ok
htxp://www.applicationbox.info/PowerBackupandRestoreSetup.exe - Ok
Typical executable flagged by Emisoft, malware active since 012-05-18 08:10:59 - other instances from other domains closed.
Analysis see:
http://camas.comodo.com/cgi-bin/submit?file=9a0dd7a6e08b7476fde0dc774b72d0e8cd780883bd53a2747c078eab6ef0e4c7
a variant of Win32/Agent.SZW
Bitdefender flagged this variant of Win32/Agent.SZWas ROJ_LOWZONE.BMC (backdoor)
polonus
system
784
that does seem a interesting one pol…i will surely upload this sample to comodo valkyrie and check if we have anything to be detected 
Thanks for the reports and analysis
Hi true indian,
What I mean to say is it is interesting as all file analysis for malcode is in my view, but i.m.o. this detection does not qualify to be added to avast detection.
Emisoft´s and other´s detection is based on a false interpretation of resource engineering protection and packer evaluation. The analysis that flags it is just not good enough to give the right interpretation and the malware and backdoor status is location dependant. All seems right there. At the end of the day it might well be this is a false possitive, but leave the final verdict to avast analysts.
I for one would qualify it as a PUP detection not more, see -
htxp://anubis.iseclab.org/?action=result&task_id=185ec922d48bb01141d5963d0c58bd1d9&format=html
polonus
New undetected:
hxtp://urlquery.net/report.php?id=59292
but found malcious
htxp://zulu.zscaler.com/submission/show/5b124e86cc043c9d5a27951ccda33296-1337885769
hxtps://www.virustotal.com/url/e74c423163a1c2a577817added8452bf77f3907a65cff6bb726a44d594da3d6b/analysis/1337885933/
file scan gave: https://www.virustotal.com/file/ee093983a238538765e23737bdd82e8296fa895f27dbc532150accee74534c8b/analysis/1337885946/
a generic dropper dtection for a variant of MSIL/Injector.ACV
reported to virus AT avast dot com,
polonus
See: htxps://www.virustotal.com/url/d957ed47e8e37a165ea08052eda3d435e86c62ffadcc7fc44d4d595f45cc9c3e/analysis/
and
htxps://www.virustotal.com/file/ee51df51d91daa155caf8b167d6966e65c3587347a207380b5449e1582f200f7/analysis/
polonus
system
788
system
789
Even from the VT link I can reconstruct the original malware site for that detection. Let me guess, it was this one htxp://zulu.zscaler.com/submission/show/8fe6f00a94e39973e4c97060f369deef-1338076028
accompanying VT scan: htxps://www.virustotal.com/file/f92bda7141b962e1eee36d2d54dd22a03ea27c0dee6924eeba96baedea85961c/analysis/
somewhat earlier as your one. But as you give an identifiable hash together with a searchable file-name I could do the reconstruction via
htxp://minotauranalysis.com/search.aspx?q=4d2ea30db117d9689f3d4718bbe44ebc
and what I can do others can do. It does not need rocket science to do this reconstruction to find the non-detection URL!
So I agree with and lean more and more towards DavidR’s point of view to first send a sample and VT results
to virus At avast dot com, and try to be restrictive with info here, until detection has been added,
polonus
Pondus
792
found by Chabbo… on Fake scan site
jotti
http://virusscan.jotti.org/en/scanresult/a2976e42d5d70b9d725f3c634aaa310f1bdad145
detected by Malwarebytes as Trojan.Dropper
uploaded to avast and SAS
system
793
Java/Exploit.CVE-2012-0507.AP as reported by true indian is known to be a malicious backdoor Trojan, which runs without user knowledge and allows remote access to a PC for cyber criminals. This malware uses various files that exploit Java vulnerabilities. When it infects your system, hackers might get access to personal information like passwords or files.
Trojan.Maljava has the ability to block some programs from running, to make you think that your PC is at high risk. Every file of it is considered to be malicious, so if you find any - remove it as soon as possible under the guidance of a qualified removal expert.
On Vista & Win 7 malcode files can be found as:
%AllUsersProfile%~[random]
%AllUsersProfile%~[random]r
%AllUsersProfile%[random].dll
%AllUsersProfile%[random].exe
%AllUsersProfile%[random]
%AllUsersProfile%[random].exe
%UserProfile%\Desktop\Trojan.maljava.lnk
%UserProfile%\Start Menu\Programs\Trojan.maljava\Uninstall Trojan.maljava.lnk
%UserProfile%\Start Menu\Programs\Trojan.maljava\Trojan.maljava.lnk
To be protected alwats make sure you have the latest java version installed if you have java installed, so you are not vulnerable, check: http://www.java.com/nl/download/installed.jsp
polonus
system
795
system
796
system
797
system
798
system
799
Missed JExploiS/t-Blacole.cx /fake LinkedIn Spam lrading to this malware via CVE-2011-3521 vuln, see: htxps://www.virustotal.com/file/d3af335637df9a1b29b9ed5e1cc0db6e60f313039ec758bfccfe0acebfb1e8d8/analysis/
see: htxp://zulu.zscaler.com/submission/show/e99c8ecf9c2b888f079a9ef0655ee90e-1338581545
IP address: 187.85.160.106, 184.106.200.65, 50.57.88.200, 50.57.43.49
Also found here that there was LinkedIn spam
Sop the payload is also here:
The payload is on immerialtv dot ru:8080/forum/showthread.php?page=5fa58bce769e5c2c hosted on the following IPs:
50.57.43.49 (Slicehost, US)
50.57.88.200 (Slicehost, US)
184.106.200.65 (Slicehost, US)
187.85.160.106 (Ksys Soluções Web, Brazil) See this address for our find
Plain list for copy-and-pasting:
50.57.43.49
50.57.88.200
184.106.200.65
187.85.160.106
all this reported to virus AT avast dot com
polonus
