Hello out there,

Vanish can create trojans and backdoors based on Metasploid/Meterpreter.
Only 23% of the scanners find this malware.
You can take a look on the binarys if you want:
hxtp://www.evil-s**t.de/vanish/
The password for the crypted 7zip file is: “123456”

But an other question: Why didn’t the behavoiur shiled doesn’t react?
Oh and I’m using the free version with updated signatures.
If you are german, you can watch the whole YouTube video here:
https://www.youtube.com/watch?v=NiCdvszgPpM

Greetings from Germany
Matze

http://virusscan.jotti.org/en/scanresult/eb0c7ed8ab0452e821141c7de79a0499028a8958
http://virusscan.jotti.org/en/scanresult/c96b2ab185a3fe97796b32972b5767646791e8a6
http://virusscan.jotti.org/en/scanresult/d79c838ebcb12de623e80c3efe6a0374b6e0f0ff
http://virusscan.jotti.org/en/scanresult/c20cef853de9cbd0796b3830544fdeb30ff7ed1e
http://virusscan.jotti.org/en/scanresult/2458633a03de4e71b0f3b15f2a8ff996639dc927
http://virusscan.jotti.org/en/scanresult/87c95adaedb4ff7a92c8e5a5c49186c8652e1b97

Also not detected by Malwarebytes or Superantispyware… soon in avast inbox :wink: and MBAM / SAS

Hey,

I hope so ^^. I’m not really in how the others do it. I’ve avast ;).
But anyway: Why doesn’t detect the behaviour shield the backdoors?
The way how they do it should be often used, doesn’t it?

Greetings
Matze

all files are now detected by Malwarebytes - Trojan.Backdoor

still not detected by avast and superantispyware…

improving…3/6

http://virusscan.jotti.org/en/scanresult/b63307d9e925a428433c2db167c0f10c70dc1a77
http://virusscan.jotti.org/en/scanresult/d6097cd5ebaaced3a484c3908a3919f4b0f16a0a
http://virusscan.jotti.org/en/scanresult/5b81d9f758d974f4218394d516d97e2bd0f15a66
http://virusscan.jotti.org/en/scanresult/17bba86a93b354e56c33b7a2bffbcff3f974867e
http://virusscan.jotti.org/en/scanresult/d3b0ea0647a9bb9908cb35a446ec11a2e4245e79
http://virusscan.jotti.org/en/scanresult/5148c7e37b1c15173b9c0a20250eaa05ee87ae61

avast now detect all samples Avira call TR/Swror…but not the one called BDS/Shell

Hi Pondus,

Also interesting the ThreatExpert report: http://www.threatexpert.com/report.aspx?md5=2f8082afa07c3c881e2b1bf41ecbdaff

In the wild, this malware is known to connect to the following servers:

202.54.98.156 via TCP port 4444
10.10.10.31 via TCP port 443
188.50.82.246 via TCP port 1234

polonus