Spybanker trojan not detected by avast...[SOLVED]

See: http://wepawet.iseclab.org/view.php?hash=43094cd3284beb5a0dd76a6964586784&t=1302307101&type=js
Malware resides at: htxp://www.advogadosdovale.adv.br/flash/play.mp3
PE32 executable for MS Windows (GUI) Intel 80386 32-bit
content type:
application/x-dosexec
Virustotal scan: http://www.virustotal.com/file-scan/report.html?id=0f704fb4b15c8f735dd3b73f9600f530cfc0425cc528c5288b31488a3df38c14-1302307138

polonus

Numbers have gone up a bit since that last scan, http://www.virustotal.com/file-scan/report.html?id=0f704fb4b15c8f735dd3b73f9600f530cfc0425cc528c5288b31488a3df38c14-1302307895 15/42.

Hi DavidR,

Gave the original virustotal find that came with the live link of the malware (virustotal can give internal server errors once in a while). Cannot report on that original source link for obvious reasons. So, numbers have gone up a bit since, so there is even more reason I reported this find to avast via mail to add detection for this. Generally avast catches up quite fine after some time, so I will keep an eye out for detection.
Link still up and alive, see htxp://jsunpack.jeek.org/dec/go?report=9a43d6fdedc5216c159a2ffebe47cf43d22b270c (see attached image)
(Only visit jsunpack as you know what you are doing, go there sandboxed and with ample script protection)
What was strange is that I could not get the accompanying Anubis report from the wepawet analysis site of that malware link

Error - No Executable File

Unfortunately your file could not be executed.
Either your file is not a valid Windows executable or some of its startup-dependencies have not been met.

According to the Unix file command your file is of the following type:
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

Back to the start

It could be that here again the old Delphi generic BobSoft Mini Delphi is being flagged,
there were issues with that in the past…

polonus

In case you haven’t already, submitted to avast :wink:

Hi spg SCOTT,

Landed there twice then, see attached active screen dump of that malcode in malzilla,

polonus

Avast has detection now as Win32:Spyware-gen, see
http://www.virustotal.com/file-scan/report.html?id=0f704fb4b15c8f735dd3b73f9600f530cfc0425cc528c5288b31488a3df38c14-1302349918

polonus

Make that three, might account for the speed ;D