unknown_file_$PLUGINSDIR/DD_69.21.166.242_5112.exe not detected!

polonus · 2014-01-10T14:21:10.000Z

Only Norman to detect this malware. Maybe our good forum friend Pondus may know more about this detection. File is known as karen.exe and
VT has these scans on it: https://www.virustotal.com/nl/url/4df9c89e7718cc27e2daf0b290956febe8203e8a0115c34b88ddd49ef80c2a72/analysis/1389363098/
and
https://www.virustotal.com/nl/file/5471b6aeadcc6c5758f7bbd8207a97013a512a4cc09df1691a8e00dcd4df6bd1/analysis/1389363102/
urlquery flags it: http://urlquery.net/report.php?id=8775612
Comodo Web Inspector misses it completely: http://app.webinspector.com/public/reports/19374726

pol

Pondus · 2014-01-10T14:26:09.000Z

Maybe our good forum friend Pondus may know more about this detection.

File name: Karen.exe..... i was about say it is my wife. ;D

not that old. First submission 2013-12-21 19:30:56 UTC ( 2 weeks, 5 days ago )
i am at the airport now, so i will check later today … guess i have a reply from Norman tomorrow

possible FP

CopyrightCopyright © 2001-2011 Advantig. All rights reserved. Publisher televere Systems Product DualDesk Original name CustomerModule_69.21.166.242_5112_Direct.exe Internal name DualDesk File version 20.4.8.0 Description DualDesk Customer Module Comments For information and help visit: dualdesk.com

TwinHeadedEagle · 2014-01-10T14:31:01.000Z

Related to this

http://www.dualdesk.com/index.html

Probably FP

polonus · 2014-01-10T14:48:32.000Z

Thanks for the quick reactions folks,
Pondus, I am sorry to hear that “Young Karen” is a false positive ;D ;D
This was/is what VW’s safe virus viewer comes up with: http://support.clean-mx.de/clean-mx/view_virusescontent.php?url=http%3A%2F%2Fwww.televeresystems.com%2Fsupport-desk%2FKaren.exe
and the malware analysis report: http://camas.comodo.com/cgi-bin/submit?file=5471b6aeadcc6c5758f7bbd8207a97013a512a4cc09df1691a8e00dcd4df6bd1
see: http://www.averscanner.com/scan/9d/dd_69-21.166.242_5112.exe.shtml
So this is a Muldrop FP? → http://www.drwebhk.com/en/virus_techinfo/Trojan.MulDrop4.48977.html
DrWeb’s URL checker results:
hctp://www.televeresystems.com/support-desk/Karen.exe - archive NSIS

htxp://www.televeresystems.com/support-desk/Karen.exe/script.bin - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/_=9A=80\Splash.dll - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/DD_69.21.166.242_5112.exe - archive NSIS

htxp://www.televeresystems.com/support-desk/Karen.exe/DD_69.21.166.242_5112.exe/script.bin - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/DD_69.21.166.242_5112.exe/=99=80\nsisdt.dll - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/DD_69.21.166.242_5112.exe/=9A=80\NSISdl.dll - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/DD_69.21.166.242_5112.exe/=9A=80\dialogsEx.dll - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/DD_69.21.166.242_5112.exe/=9A=80\nsExec.dll - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/DD_69.21.166.242_5112.exe/DualDesk.exe - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/DD_69.21.166.242_5112.exe/cad.exe - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/DD_69.21.166.242_5112.exe/ddUninst.exe - archive NSIS

htxp://www.televeresystems.com/support-desk/Karen.exe/DD_69.21.166.242_5112.exe/ddUninst.exe/script.bin - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/DD_69.21.166.242_5112.exe/ddUninst.exe/_=9A=80\nsExec.dll - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/DD_69.21.166.242_5112.exe/ddUninst.exe - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/DD_69.21.166.242_5112.exe - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/DD.txt - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/Splash.bmp - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/Logo.bmp - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/Icon1.ico - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/Icon2.ico - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/Blank.bmp - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/Ring.wav - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/Alex.txt - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/Barb.txt - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/EricR.txt - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/EricS.txt - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/Jeff.txt - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/Karen.txt - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/Kyle.txt - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/Rhea.txt - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/Sam.txt - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/Stacy.txt - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe - Ok

pol

polonus · 2014-01-10T15:00:42.000Z

The FP is because of an alert here -Injection Check

Suspicious Text before HTML
mzÿÿ¸////@øº´í!¸lí!this program cannot be run in dos mode.////$ïäsususurusuéusususu½////£xusu½£yusuluusurichsupelðkà^ô¸////@p@à0s´à p .textæ]^ ///.rdata¢pb@@.data¬¯t@à.n////data@à.rsrc àx@@ájl$zóâl$jàj$zóâl$hl$jpâuìì svw}ñwnèa~ggff»f~ ¹°ãó«àè#ðçej?/////úyãâÿmó«uìjr¾ìyó«j¾¸////yó«ôèbüèwej3ÿx2ûeàeäeèeì}üë}øeüï#ááeøáneðql è\à¡¶ r@}eøtrfn+eà;áráàneôbÿuôz#}üq/////±è¶ãóèjóçç@ááèeøë5äànzq#}ü±è¶ãóèjóçç@ááè?øfëd^/////¾ sæeèàãs¾pèàsumeð èvàu5¶är@vneøâ+eà;áráÿfîè°ÿeüé^////]àëc¾è,àu]äë%s¾°èàu]èëeè]ìeìeäeèeà]àeäÿuøfüpèï¶¸/////r@møéÿuøôsè±¶¬r@øeðmø|jxáàs0ìèø|ièøñùãiëóãø}pfpìèaøë#//////áü~qïèáàw///

quote from Web Security Test.
This is a typical false positive on a NSIS installer - it became flagged in the past as Adware Punisher, AVG and Kaspersky and Sophos flagged this new installer as trojan and found out later it was a false positive, so I think Norman will soon fix this fale positive.
So when we see archive NSIS we have to blink twice before saying it is malcode

Damian

Pondus · 2014-01-10T17:14:16.000Z

but there sloppy it department should uppgrade wordpress

http://sitecheck.sucuri.net/results/www.televeresystems.com

polonus · 2014-01-10T19:09:47.000Z

That means, dear Pondus, that they are vulnerable amongst other things to clickjacking.
htxp://www.televeresystems.com/wordpress/wp-content/themes/elogix/
For code hick-ups and insecurity see: http://jsunpack.jeek.org/?report=f466bffd2353189a4b029d9b7d2d14ffa583291a
On the elogix theme, read on the insecurity of such themes - web-applications-security/ error: undefined function $
and problems with the Stylesheet etc.
pingback goes here: htxp://www.televeresystems.com/wordpress/xmlrpc.php
vulnerable to WP pingback vulnerability in version 3.5 and RCI exploit: http://www.securityfocus.com/bid/14088/exploit
→ credit references, see: http://www.securityfocus.com/bid/14088/references

pol

Secondmineboy · 2014-01-10T19:23:57.000Z

Norman is detecting it as Malware.AJISX now.

Avira is still analysing the file.

Malwr: https://malwr.com/analysis/NjEyYWFlZDQ0ZTMyNDZhMWJiOTA5YjY0MGFlMzk1NmM/

File is malicious.

Secondmineboy · 2014-01-10T20:19:54.000Z

File is detected by DeepScreen.

Pondus · 2014-01-11T09:56:48.000Z

Norman lab confirms, it was a False Positive

Announcements