undetected malware or false positive??

Viruses and worms
1

see: https://www.virustotal.com/file/b8a0a684fe02172343272b5e3fa348cd1ed2f25a71194063f7ccf4d62c3d745e/analysis/1338362617/

First seen by VirusTotal
2012-05-18 15:42:38 UTC ( 1 week, 4 days ago )
Last seen by VirusTotal
2012-05-18 15:42:38 UTC ( 1 week, 4 days ago )

Vipre gets it as malware JS generic

So is this typical JS malware?

Reported at virus@avast.com

2

Hi true indian,

We have detection for this wtool!
No suspicious behaviour detected here: -http://isthisfilesafe.net/sha1/ACE6F1D9AE3746410CE96375B839AB67FF470EEE_details.aspx
Comodo flags it, as coming from a blacklisted domain (Norton Safe Web.
It is UPX compressed Win32 Executable, Win32 EXE Yodas Crypter , heuristical PUP detection,
see: htxp://urlquery.net/queued.php?id=61259
see here: htxp://zulu.zscaler.com/submission/show/4a36a164d5849d229e6ff32189260198-1338389377
and accompanying VT report: htxps://www.virustotal.com/file/bfae89d3e5e39c49d0fa88a162226dd2a23cb6154a78c587764e9c532d84ae0b/analysis/
and you see now that avast detects this as Win32:PUP-gen [PUP]

polonus

3

Hi true indian,

Just for completion I give the DrWeb URL checker scan results:

Checking: htxp://wtool.searchlite.co.kr/update/WL01/WLU1004.exe
Engine version: 7.0.2.4281
Total virus-finding records: 2888364
File size: 252.79 KB
File MD5: 0154f76ab16eda3d602ef6ac3a10b773

htxp://wtool.searchlite.co.kr/update/WL01/WLU1004.exe packed by UPX

hxtp://wtool.searchlite.co.kr/update/WL01/WLU1004.exe packed by FLY-CODE

htxp://wtool.searchlite.co.kr/update/WL01/WLU1004.exe - archive NSIS

htxp://wtool.searchlite.co.kr/update/WL01/WLU1004.exe/script.bin - Ok
htxp://wtool.searchlite.co.kr/update/WL01/WLU1004.exe/=9A=80\IpConfig.dll - Ok
htxp://wtool.searchlite.co.kr/update/WL01/WLU1004.exe/=9A=80\NSISdl.dll - Ok
htxp://wtool.searchlite.co.kr/update/WL01/WLU1004.exe/_=9A=80\SelfDel.dll packed by UPX

htxp://wtool.searchlite.co.kr/update/WL01/WLU1004.exe/=9A=80\SelfDel.dll - Ok
htxp://wtool.searchlite.co.kr/update/WL01/WLU1004.exe/=9A=80\nsProcess.dll packed by FLY-CODE
htxp://wtool.searchlite.co.kr/update/WL01/WLU1004.exe/=9A=80\nsProcess.dll - Ok
htxp://wtool.searchlite.co.kr/update/WL01/WLU1004.exe/=9A=80\fct.dll - Ok
htxp://wtool.searchlite.co.kr/update/WL01/WLU1004.exe/WTool.dll - Ok
hxtp://wtool.searchlite.co.kr/update/WL01/WLU1004.exe/WTool.exe infected with Trojan.DownLoader5.33181
htxp://wtool.searchlite.co.kr/update/WL01/WLU1004.exe/_=9A=80\UAC.dll - Ok

This also to get a good impression of the packers that have been used. Flagged as Trojan.DownLoader5.33181,
which is a Graftor Riskware variant, but as stated in the above posting we have detection for it now,

polonus

4

VirusTotal
https://www.virustotal.com/file/bfae89d3e5e39c49d0fa88a162226dd2a23cb6154a78c587764e9c532d84ae0b/analysis/1338396676/

5

@Pondus

This doesnt seem to be the same file…as the MD5 are different :stuck_out_tongue:

6

different MD5 yes…comes from the URL polonus gave