USB-password stealer not detected by avast...

The suspicious file was found to reside here: htxp://rapidshare.com/files/446310540/USB_pass_stealer.rar
Scanned the url there: http://www.virustotal.com/url-scan/report.html?id=5a640c38dad01ff4452cda27f58300bd-1299068298
no detections here: http://www.virustotal.com/file-scan/report.html?id=2b7f356222de69e46dc197b82dd33aa7cf230ae01b3e2cd6df0e6ff0b3c95438-1299072053
Avast does not detect this Application.NirSoft.ChromePassView.C aka Tool.PassView.323 (DrWeb), GData detects:
Application.NirSoft.ChromePassView.C (detection date: 02-05-2011);
Avast should add detection for it,

polonus

NORMAN analysis

USB_pass_stealer.rar : Clean!

Hi Pondus,

Do not know how this got under the av radar then? That malcreant’s tool was found online…

See the separate parts of this password stealing tool/scanner, and the way these are easily being detected by Norman:

Scans-
wirelessnetview http://www.virustotal.com/file-scan/report.html?id=ea8bc2993af2b7ef0d161ef015cc1094a24b4ec9435c09d96306406f47fc1d6a-1296114259
wireless keyview http://www.virustotal.com/file-scan/report.html?id=38a9e904b545ab0439dc1ed2b82b5c8a9190f8f0222204fee7f88e7ffa35455d-1296546595
passwordfox http://www.virustotal.com/file-scan/report.html?id=ba0680e722dcda3adc7a5ec95d920e961a2db7769b303b0593a0d9b20d1018f8-1296913889
operapassview http://www.virustotal.com/file-scan/report.html?id=1130504f6095d2b09fb1ad39323ab9448798b41eb925539e2128160cec106609-1296913770
netpass http://www.virustotal.com/file-scan/report.html?id=e833663b507bbf2e2f9c13bda716acdd82701985ca5ef7f2720fc5826d9fd370-1296913767
iepv http://www.virustotal.com/file-scan/report.html?id=f8a112b0d1ce4142e4d69cadfc2748c27026b491532fba18d9160f7eb48b4886-1296913730
iehv http://www.virustotal.com/file-scan/report.html?id=8aa4f14099eba2551811a5e58a4a8a2676d0d06fba6518b789dea34de2e8fe0a-1296913618
chromepass http://www.virustotal.com/file-scan/report.html?id=99ccb1c806eb059acf376867204d02d281ddb0ae9af9f13ea07c9ce024d4f0c6-1296913483

How can Norman say this is clean?

polonus

How can Norman say this is clean?

NORMAN analysis

USB_pass_stealer.rar file is just an error text file not the one intended for. Probably produced while downloading USB_pass_stealer.rar. This may occur if file not available on source while downloading.

Sophos analysis

thank you for your email. The file USB_pass_stealer.rar that you sent to us for analysis is just an ASCII file advising a download limit has been reached. Please do not hesitate to contact me if I can be of any further assistance.

Well wepawet has quite another view on it:
http://wepawet.cs.ucsb.edu/view.php?hash=5a640c38dad01ff4452cda27f58300bd&t=1299164139&type=js

Here again clean: http://www.garyshood.com/virus/results.php?r=1fc8eb7ae6a4c45ac9066aa0a143c147
but Scan Execution Time: 36.275
File Size: 228 bytes

And as you see below, the evade detection and analysis with a download limit…clever infesters,

at least we could scan: htxp://rapidshare.com/premzone_overlay_extendrapidpro.tpl?tcv=1299164170227 (suspicious)
http://www.virustotal.com/url-scan/report.html?id=fb5d5e506a51ddae74e86b48d82eae4a-1299161755
which ParetoLogic flags as Malware site
but no further results here: http://www.virustotal.com/file-scan/report.html?id=1fa446035b4413e7373bd38d33155e32f4740e3c19cd14e13f3cf6822773951b-1299165359

polonus

Avira analysis

The file 'USB_pass_stealer.rar' has been determined to be 'CLEAN'. Our analysts did not discover any malicious content.

the first link you gave goes to a rapidShare download where the file was, but it is no longer available…so what the downloader brings down is a clean file

Hi Pondus,

Thank you for your observations, much appreciated,

polonus