Trojan acleaner.exe sended to avast virlab 1 month ago, still didnt detects by avast. Sended 3 times to virlab approx 1 month ago. Eaily infect systems again and again even with latest avast updates. Iam uninstalling avast and installing now avira.
This version is being detected: http://www.virustotal.com/file-scan/report.html?id=92e4133fd2e8ad893da6f0492133cf402805dfc0e835e74b4c59f7122099a1ac-1299740404
Can you give a VT scan link for your apparently undetected sample?
polonus
@OP: Please do so…!
http://www.virustotal.com/file-scan/report.html?id=92e4133fd2e8ad893da6f0492133cf402805dfc0e835e74b4c59f7122099a1ac-1300887432
Need to say,that avira didnt recorgnize it too. I run file and it make all bad actions without any prblems. In registry add herself taskman c:\RECYCLER\R-1-5-21-1482476501-1644491937-682003330-1013\acleaner.exe ((((
I will post a link to that file acleaner.exe some minutes later
Please scan the sample on VT and share the result.
File already submitted: The file sent has already been analysed by VirusTotal in the past. This is same basic info regarding the sample itself and its last analysis: MD5: 30e9e25d2e14a257903996c53093a3ed
Date first seen: 2011-07-25 03:44:24 (UTC)
Date last seen: 2011-07-25 13:04:03 (UTC)
Detection ratio: 19/43
File name:
30e9e25d2e14a257903996c53093a3ed
Submission date:
2011-07-25 13:04:03 (UTC)
Current status:
finished
Result:
19 /43 (44.2%) VT Community
malware
Safety score: 0.0%
Compact
Print results Antivirus Version Last Update Result
AhnLab-V3 2011.07.25.00 2011.07.24 -
AntiVir 7.11.12.87 2011.07.25 -
Antiy-AVL 2.0.3.7 2011.07.25 -
Avast 4.8.1351.0 2011.07.25 -
Avast5 5.0.677.0 2011.07.25 -
AVG 10.0.0.1190 2011.07.25 -
BitDefender 7.2 2011.07.25 Trojan.Generic.KD.299309
CAT-QuickHeal 11.00 2011.07.25 -
ClamAV 0.97.0.0 2011.07.24 -
Commtouch 5.3.2.6 2011.07.25 -
Comodo 9504 2011.07.25 -
DrWeb 5.0.2.03300 2011.07.25 Win32.HLLW.Autoruner.55040
Emsisoft 5.1.0.8 2011.07.25 Worm.Win32.Dorkbot!IK
eSafe 7.0.17.0 2011.07.25 -
eTrust-Vet 36.1.8463 2011.07.25 -
F-Prot 4.6.2.117 2011.07.24 -
F-Secure 9.0.16440.0 2011.07.25 Trojan.Generic.KD.299309
Fortinet 4.2.257.0 2011.07.25 W32/Injector.SLH!tr
GData 22 2011.07.25 Trojan.Generic.KD.299309
Ikarus T3.1.1.104.0 2011.07.25 Worm.Win32.Dorkbot
Jiangmin 13.0.900 2011.07.24 Heur:Trojan/Agent
K7AntiVirus 9.108.4937 2011.07.22 -
Kaspersky 9.0.0.837 2011.07.25 Trojan.Win32.Pincav.bjhq
McAfee 5.400.0.1158 2011.07.25 Generic.dx!back
McAfee-GW-Edition 2010.1D 2011.07.24 Heuristic.BehavesLike.Win32.Backdoor.H
Microsoft 1.7104 2011.07.25 Worm:Win32/Hamweq.A
NOD32 6322 2011.07.25 Win32/AutoRun.KS
Norman 6.07.10 2011.07.25 -
nProtect 2011-07-25.02 2011.07.25 -
Panda 10.0.3.5 2011.07.24 Trj/CI.A
PCTools 8.0.0.5 2011.07.25 -
Prevx 3.0 2011.07.25 High Risk Cloaked Malware
Rising 23.68.00.05 2011.07.25 -
Sophos 4.67.0 2011.07.25 Mal/Generic-L
SUPERAntiSpyware 4.40.0.1006 2011.07.24 -
Symantec 20111.1.0.186 2011.07.25 -
TheHacker 6.7.0.1.262 2011.07.24 -
TrendMicro 9.200.0.1012 2011.07.25 -
TrendMicro-HouseCall 9.200.0.1012 2011.07.25 TROJ_GEN.FFFCZGP
VBA32 3.12.16.4 2011.07.25 BScope.Jackz.g
VIPRE 9960 2011.07.25 Worm.Win32.Hamweq
ViRobot 2011.7.25.4587 2011.07.25 -
VirusBuster 14.0.136.0 2011.07.24 -
It seems that not avast,not avira, not avg didn’t help me(((
…do you have something against actually linking to the results?
Hmmm…
You said you sent the sample one month ago (in your initial post)…??
VT link from your MD5: http://www.virustotal.com/file-scan/report.html?id=8fe4ce4e720d5922db5545495cbaa992a56caee6975b5c7961a52ec5debaaed6-1311599043
i report that file to the avast virlab in program. This virus is known from the start of that year. In russian internet it described at that time and ways to cure it. I’am using demo version of Trojan remover it makes it clear, but system infects again from flash disks because it has no online file guard as avast or avira or avg has, but didn’t recorgnize the virus. And that virus is not malware, it has very intelligent modules, which downloaded from internet, and can prevent to work antivirus, send spam, block internet surfing and other things. It comes in link with Eomkomo.exe, aadrive32.exe, acleaner.exe and *.tmp files.
Please send the sample to: virus(at)avast.com
done
This is the malware meant here: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FDorkbot.K
see: http://file.virscan.org/report/3c679df94258b65bbc878d749f9fdbb4.html
polonus
i read it, it seems to be not my case. My file always named acleaner.exe(aadrive32.exe,eomkomo.exe). Even just antivirus can block it by only name.
Thank all for help. File was sent to avast virlab, and in near future i suppose there be updated vir bases which cure him.
ps
i reinstall avast again, seems all other free for home use avira and avg didn’t cure it too and so has no benefits.
Thanks.
pondus, check your mail.
already detected by Malwarebytes as Trojan.Agent
Not detected by Superantispyware
have sendt sample to avast and SAS
ThreatExpert report
http://www.threatexpert.com/report.aspx?md5=30e9e25d2e14a257903996c53093a3ed
I have analyzed the anubis report: http://anubis.iseclab.org/?action=result&task_id=166b5eb9b4df7ec54a15da70bdf780736&format=html
Load-time dll’s:
DLL" at address 0x7C900000 by thread 1. Successfully hooked module. … DllMain(0x7C900000, DLL_PROCESS_ATTACH, 0x00000000) in ntdll.dll, flagged as a security risk file since 2003, also User Mode rootkits exploit the slightly lower-level Native API, which invokes functions provided by the operating system’s ntdll.dll.
Kernel32.dll is the Windows base API DLL, which means it’s the dynamic load library (DLL) that handles memory,
This malware has the ability of effective camouflage. It disguises itself as msvcrt.dll, process infection at Base Address: [0x77C10000 ], Users that want to look up a process infection or mutex list themselves for anlyzing anubis reports etc. see here:
Now the run time dynamic linking tries to load DLL at run time:
BHO object 425718.OCX at visial studio default base address at 0x10000000;
Netapi32.dll is a module that contains the Windows NET API used by applications to access a Microsoft network, in malware it could cause you will loose your network connection.
Run-time comctl32.dll errors will interrupt programs, it is a stealthy malware file programmed to appear as a legitimate file and execute different harmful actions on your compromised computer.
When hnetcfg.dll is loaded, the above files are automatically loaded too, else this dll won’t load.
Cloaked malware file, see: http://www.prevx.com/filenames/156583519112018831-X1/HNETCFG.DLL.html
The most interesting part of the executable is the “IP-stealer” tool … 0x71a50000,
mswsock.dll, is also found in Rootkit: Possibly Infostealer.Banker.C and Gampass malware.
UPX V2.9-3.X SN: 1730 is used in trojan worm constructors.
Registry connection info: Connections info SavedLegacySettings 0x3c0000001600000001000000000000000000000000000000040000000000
changes the default connection settings, several malware species that change this value have been reported for: e.g. W32.MyDoom.AB ,VP Killer trojan;
Monitored Registry Keys will change settings for Internet Explorer,
HEOIFZ.PIF is Trojan/Backdoor.
Kill the process HEOIFZ.PIF and remove HEOIFZ.PIF from the Windows startup.
HEOIFZ.PIF is known as: packed with UPX [Kaspersky Lab].
MD5 of HEOIFZ.PIF = 51EA6A72E85FCB31C08139BAC0C30E50
HEOIFZ.PIF size is 32852 bytes.
Full path on a computer: %PROGRAMFILES%\COMMON FILES\REALTECK\HEOIFZ.PIF
OCB.ini is a very malcious threat found in various keyloggers.
Settings in a device control preset are used during logging, capturing, and output
Device\KsecDD 0x00390008 8 - Memory Mapped Files for setting handle control.
The following files have been added to the system: %TEMP%\ECj1.tmp exploiting a JAVA degression bug.
Windows Sockets Helper DLL. wshtcpip.dll normally is found as:
MD5: 08b3a60a4dd7fae800b552f8f8d5deb0
Category: Process Monitor / Processes
ID / Size / Date: #115841 / 19.5 KB / 2006-05-08
Version / Publisher: 5.1.2600.2180(xpsp_sp2_rtm.040803-2158) / Microsoft Corporation
This bug is being exploited: http://www.mail-archive.com/debian-bugs-rc@lists.debian.org/msg110099.html
The malware at hand tries to connect out to China: China Unicom Shandong province network
and to CNCGROUP-SZ China Unicom Shenzen network, both known as trojan Pepatch sites.
The explorer.exe infection is hard to detect, see: http://virscan.org/report/bc10cdd8fc1b56e4518b094b5da3a210.html
but it will considerably slow down the infected computer.
Buffered RPC data in rpcrt4.dll is a Remote Procedure Call Runtime.
Also, Windows programs usually do not need to monitor the status of the Shift, Ctrl, or Alt keys, but here this is being performed,
Imagehlp.dll runtime dll could lead to a BSOD: got the BSOD with the following message:
"Stop: c0000221 {Bad Image Checksum} The image imagehlp.dll is possibly corrupt.
norman, sandbox: generic trojan w32/malware found as %TEMP%\ECj1.tmp.
Creating website blocks through …MountPoints2\{a1094da8-30a0-11dd-817b-806d6172696f}\
This is found in Neosploit hack code: HKU\S-1-5-21-842925246-1425521274-308236825-500
\XID.hta depploy toolkit
Furthermore there is shut-downer code: IDE#CdRomQEMU_QEMU_CD-ROM________________________0.9.____
#4d51303030302033202020202020202020202020#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
On mshta.exe read http://www.backgroundtask.eu/Systeemtaken/taakinfo/3708/mshta.exe/
As a result of the malware, when the user opens infected partitions using Explorer,
mshta.exe will be launched from the opened partition, see:
http://cn2010-6-294www.virscan.org/report/d777d1b00bffea87f88d34d505817391.html
mshta.exe not a malcoded executable is required to access user accounts from the Control Panel,
also Advapi32.dll is required to run.
C:\Windows\AppPatch\AcGenral.DLL (trojan related)- not a valid Windows image…creating control panel issues - this is tracker code: Control Code 0x00090028
Acces violation bug is exploited through Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll.
The library file, psapi.dll, contains program code used by Windows applications
to retrieve information about processes and/or device drivers running on the system,
and it is not known to be malicious, also here.
cmd.exe Started by ecj1.tmp delivers a generic flag for malware that abuses Java.lang.ArrayIndexOutOfBoundsException exploit and is detected by norman’s.
system32\ntdll.dll (0x7C900000) C is a malicious process running under explorer.exe
polonus
avast now detect
VirusTotal - acleaner.exe - 29/43
http://www.virustotal.com/file-scan/report.html?id=8fe4ce4e720d5922db5545495cbaa992a56caee6975b5c7961a52ec5debaaed6-1311709276