Pondus
2
the sigcheck looks strange…
Sigcheck
publisher…:
product…: rgeg
internal name…:
copyright…:
original name…: grer.exe
file version…: rg
description…:
and new at VT so it may be correct.
First seen by VirusTotal
2012-08-27 20:07:31 UTC ( 4 dager, 20 timer ago )
polonus
3
Hi Pondus,
All part of this malware campaign, described here: http://www.mywot.com/en/forum/21464-qai-jar-malware-cve-2010-1885?page=16
see the network connection 67.215.225.205:8080
polonus
Pondus
4
well, seems Norman found it first …but the scan you posted was 4 days old
here is latest
https://www.virustotal.com/file/b0c1f702fd706d4454ae0dc852c4f882d69b2da62b9a3b06c218bd0d74d54f4d/analysis/1346520125/
and here Norman does not detect ???
i will check it…
OK, the VT file you posted has MD5 95ad8e46c1847d150bec9ab42ba2e85f
the one that comes down now has MD5 3e23d62adc21bf701eb1eb5263be0ad5
so not the same file, guess that explains it …and Norman added a autosignature on that one Troj_Generic.DUHCA (autoadded)
polonus
5
Hi Pondus,
So seems we are being protected,
polonus