Virus, sort of logger, entirely not detected by AVAST..

Hello!

The virus file:

hxtp://www.filedropper.com … (removed)
hxtp://www.sendspace.com … (removed)
hxtp://www.datafilehost.com … (removed)

Ok, now, this one was sent to me actually, and I simply fell into it (very ashamed!).

As far as I’ve checked (using a VirtualBox machine with snapshots and checking for new files in the system after executing the virus, before and after a reboot):

  1. It copies some stuff to your “IE5-something” folder.
  2. It copies some stuff into “C:\Intel..” folder. It logs started apps in a file called “77”.
  3. It puts two files to be executed on startup (logon) in the “…\Windows\CurrentVersion\Run” registry entry.

Probably a one or two more things, I’m writing here from my memory…

Anyway, I think it should be added as a trojan or something and completely eliminated.

If you guys at AVAST need more details just say so. I’m going to have more checks as well, so I’ll probably report back.

At
C:\Documents and Settings\USER\Application Data\Roaming

Here are two related files to this KEYLOGGER (now I’m sure):
MSDSC.exe
77

The “77” file contains logging like this:

Started: 4/26/2012 : 9:35:50 PM


C:\WINDOWS\system32\cmd.exe [4/26/2012 : 9:35:30 PM]
{Backspace}2

We?gpj.scr Properties [4/26/2012 : 9:35:40 PM]
{Esc}

C:\WINDOWS\system32\cmd.exe [4/26/2012 : 9:35:42 PM]

{Backspace}3

Program Manager [4/26/2012 : 9:36:24 PM]


Virus on 'vboxsrv' (E:) [4/26/2012 : 9:36:30 PM]
ListDll
{Backspace}{F2}s
[]results
{F5}

Ok this is some scan results from my PC (win7).

All the above posts are related to an XP PC.

Anyway, if it helps.

As far as I understand the damn key-logger is removed.

I’ve even checked for new DLL modules etc’ on all processes after a restart - before and after the machine is infected (again, with a virtual box).

If anyone thinks this keylogger is more clever - post your findings.

For AVAST team: I hope you update your AV with this one.
And by the way - your AV is the best - thank you so much!

Anyone going to give an opinion about this? ???

Consider this info: http://www.threatexpert.com/files/msdsc.exe.html
This apparently is a Trojan Start Page infection, wait for the assistance of a qualified malware remover here,

polonus

Nothing apparent in the logs as far as I can see what are the symptoms ?

I think I’ve made the logs AFTER I’ve removed that trojan (BTW, mine is of another version, as it doesn’t sit in “%system%/…” but in “%user%/roaming…”), that’s why you cannot see anything suspicious about them.

Anyway the sympthom is, as I recall:
Puts two “run” records in HKLM & HKCU that target “MSDSC.exe”.
There’s also, in the user’s %temp% folder a file called “svchost.exe”.

Next to the “MSDSC.exe” file there’s a file called “77” and it’s simply a log of executed programs and key-strokes, hence a keylogger.

Anyway, don’t you test it? This one is undetected by AVAST yet, so I guess you would want to add it to the virus list or something…

I only test things like that on a standalone system that I don’t mind wiping ;D

But upload the files to Avast for analysis

Yup :slight_smile: that’s why I tested this on a standalone VirtualBox machine (after I was infected though!)

“upload the files to Avast for analysis” << What’s the URL? Looked for it, didn’t find.

ftp://ftp.avast.com/incoming/ zip and password protect the file - password virus

Name the zipe folder undetected keylogger

Good news is that the virus in its packed form is now DETECTED BY AVAST - great! :slight_smile:

Less good news is that the two EXE files I’ve managed to see that this virus has are still undetected. They are the virus itslef (keylogger).
So, as you’ve said - I’ve uploaded these two along with a produced file called “77” which is a log of keys.

Hope there’s nothing else in that virus, otherwise they own me now!

The packed varaint should be enough data to stop it installing… The main files will hopefully be detected, but with no dropper you should not see them

Of course that the unpacker (the main executable) is enough to stop it from spreading, but what about existing infections?? It’ll never know about them.

Anyway thanks a lot!