Pondus
2
Maybe our good forum friend Pondus may know more about this detection.
File name: Karen.exe..... i was about say it is my wife. ;D
not that old. First submission 2013-12-21 19:30:56 UTC ( 2 weeks, 5 days ago )
i am at the airport now, so i will check later today … guess i have a reply from Norman tomorrow
possible FP
CopyrightCopyright © 2001-2011 Advantig. All rights reserved.
Publisher televere Systems
Product DualDesk
Original name CustomerModule_69.21.166.242_5112_Direct.exe
Internal name DualDesk
File version 20.4.8.0
Description DualDesk Customer Module
Comments For information and help visit: dualdesk.com
Thanks for the quick reactions folks,
Pondus, I am sorry to hear that “Young Karen” is a false positive ;D ;D
This was/is what VW’s safe virus viewer comes up with: http://support.clean-mx.de/clean-mx/view_virusescontent.php?url=http%3A%2F%2Fwww.televeresystems.com%2Fsupport-desk%2FKaren.exe
and the malware analysis report: http://camas.comodo.com/cgi-bin/submit?file=5471b6aeadcc6c5758f7bbd8207a97013a512a4cc09df1691a8e00dcd4df6bd1
see: http://www.averscanner.com/scan/9d/dd_69-21.166.242_5112.exe.shtml
So this is a Muldrop FP? → http://www.drwebhk.com/en/virus_techinfo/Trojan.MulDrop4.48977.html
DrWeb’s URL checker results:
hctp://www.televeresystems.com/support-desk/Karen.exe - archive NSIS
htxp://www.televeresystems.com/support-desk/Karen.exe/script.bin - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/_=9A=80\Splash.dll - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/DD_69.21.166.242_5112.exe - archive NSIS
htxp://www.televeresystems.com/support-desk/Karen.exe/DD_69.21.166.242_5112.exe/script.bin - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/DD_69.21.166.242_5112.exe/=99=80\nsisdt.dll - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/DD_69.21.166.242_5112.exe/=9A=80\NSISdl.dll - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/DD_69.21.166.242_5112.exe/=9A=80\dialogsEx.dll - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/DD_69.21.166.242_5112.exe/=9A=80\nsExec.dll - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/DD_69.21.166.242_5112.exe/DualDesk.exe - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/DD_69.21.166.242_5112.exe/cad.exe - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/DD_69.21.166.242_5112.exe/ddUninst.exe - archive NSIS
htxp://www.televeresystems.com/support-desk/Karen.exe/DD_69.21.166.242_5112.exe/ddUninst.exe/script.bin - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/DD_69.21.166.242_5112.exe/ddUninst.exe/_=9A=80\nsExec.dll - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/DD_69.21.166.242_5112.exe/ddUninst.exe - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/DD_69.21.166.242_5112.exe - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/DD.txt - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/Splash.bmp - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/Logo.bmp - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/Icon1.ico - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/Icon2.ico - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/Blank.bmp - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/Ring.wav - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/Alex.txt - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/Barb.txt - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/EricR.txt - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/EricS.txt - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/Jeff.txt - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/Karen.txt - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/Kyle.txt - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/Rhea.txt - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/Sam.txt - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/Stacy.txt - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe - Ok
pol
The FP is because of an alert here -Injection Check
Suspicious Text before HTML
mzÿÿ¸////@øº´í!¸lí!this program cannot be run in dos mode.////$ïäsususurusuéusususu½////£xusu½£yusuluusurichsupelðkà^ô¸////@p@à0s´à p .textæ]^ ///.rdata¢pb@@.data¬¯t@à.n////data@à.rsrc àx@@ájl$zóâl$jàj$zóâl$hl$jpâuìì svw}ñwnèa~ggff»f~ ¹°ãó«àè#ðçej?/////úyãâÿmó«uìjr¾ìyó«j¾¸////yó«ôèbüèwej3ÿx2ûeàeäeèeì}üë}øeüï#ááeøáneðql è\ࡶ r@}eøtrfn+eà;áráàneôbÿuôz#}üq/////±è¶ãóèjóçç@ááèeøë5äànzq#}ü±è¶ãóèjóçç@ááè?øfëd^/////¾ sæeèàãs¾pèàsumeð èvàu5¶är@vneøâ+eà;áráÿfîè°ÿeüé^////]àëc¾è,àu]äë%s¾°èàu]èëeè]ìeìeäeèeà]àeäÿuøfüpèﶸ/////r@møéÿuøôs豶¬r@øeðmø|jxáàs0ìèø|ièøñùãiëóãø}pfpìèaøë#//////áü~qïèáàw///
quote from Web Security Test.
This is a typical false positive on a NSIS installer - it became flagged in the past as Adware Punisher, AVG and Kaspersky and Sophos flagged this new installer as trojan and found out later it was a false positive, so I think Norman will soon fix this fale positive.
So when we see
archive NSIS we have to blink twice before saying it is malcode
Damian
Pondus
6
That means, dear Pondus, that they are vulnerable amongst other things to clickjacking.
htxp://www.televeresystems.com/wordpress/wp-content/themes/elogix/
For code hick-ups and insecurity see: http://jsunpack.jeek.org/?report=f466bffd2353189a4b029d9b7d2d14ffa583291a
On the elogix theme, read on the insecurity of such themes - web-applications-security/ error: undefined function $
and problems with the Stylesheet etc.
pingback goes here: htxp://www.televeresystems.com/wordpress/xmlrpc.php
vulnerable to WP pingback vulnerability in version 3.5 and RCI exploit: http://www.securityfocus.com/bid/14088/exploit
→ credit references, see: http://www.securityfocus.com/bid/14088/references
pol
Norman is detecting it as Malware.AJISX now.
Avira is still analysing the file.
Malwr: https://malwr.com/analysis/NjEyYWFlZDQ0ZTMyNDZhMWJiOTA5YjY0MGFlMzk1NmM/
File is malicious.
File is detected by DeepScreen.
Pondus
10
Norman lab confirms, it was a False Positive
