The suspicious file was found to reside here: htxp://rapidshare.com/files/446310540/USB_pass_stealer.rar
Scanned the url there: http://www.virustotal.com/url-scan/report.html?id=5a640c38dad01ff4452cda27f58300bd-1299068298
no detections here: http://www.virustotal.com/file-scan/report.html?id=2b7f356222de69e46dc197b82dd33aa7cf230ae01b3e2cd6df0e6ff0b3c95438-1299072053
Avast does not detect this Application.NirSoft.ChromePassView.C aka Tool.PassView.323 (DrWeb), GData detects:
Application.NirSoft.ChromePassView.C (detection date: 02-05-2011);
Avast should add detection for it,
polonus
Well wepawet has quite another view on it:
http://wepawet.cs.ucsb.edu/view.php?hash=5a640c38dad01ff4452cda27f58300bd&t=1299164139&type=js
Here again clean: http://www.garyshood.com/virus/results.php?r=1fc8eb7ae6a4c45ac9066aa0a143c147
but Scan Execution Time: 36.275
File Size: 228 bytes
And as you see below, the evade detection and analysis with a download limit…clever infesters,
at least we could scan: htxp://rapidshare.com/premzone_overlay_extendrapidpro.tpl?tcv=1299164170227 (suspicious)
http://www.virustotal.com/url-scan/report.html?id=fb5d5e506a51ddae74e86b48d82eae4a-1299161755
which ParetoLogic flags as Malware site
but no further results here: http://www.virustotal.com/file-scan/report.html?id=1fa446035b4413e7373bd38d33155e32f4740e3c19cd14e13f3cf6822773951b-1299165359
polonus
Pondus
7
the first link you gave goes to a rapidShare download where the file was, but it is no longer available…so what the downloader brings down is a clean file
Hi Pondus,
Thank you for your observations, much appreciated,
polonus