Why avast! does not flag Generic.47C as a PUP?

polonus · September 30, 2014, 10:17am

See: https://www.virustotal.com/nl/url/b46b094b15a117f3200c1bebca5302ce408074513ffe716ba8fff23f08ab4581/analysis/1412071526/
https://www.virustotal.com/nl/file/9e0fdae19b145bc8ab8988b652b574dc502d5583f50063b225b16ba65e454443/analysis/1412063550/
htxp://zn.tybests.com/down/zhainan/setup_82_21682_.exe redirects to htxp://ww.zuowangzhanla.com/down/zhainan/setup_82_21682_.exe

htxp://zn.tybests.com/down/zhainan/setup_82_21682_.exe is in Dr.Web malicious sites list!

Checking: htxp://ww.zuowangzhanla.com/down/zhainan/setup_82_21682_.exe
Engine version: 7.0.10.8210
Total virus-finding records: 5467882
File size: 1.33 MB
File MD5: b8a01732c40a79a639c40e01971b5850

htxp://ww.zuowangzhanla.com/down/zhainan/setup_82_21682_.exe - archive INNO SETUP

htxp://ww.zuowangzhanla.com/down/zhainan/setup_82_21682_.exe/Script0.bin - Ok
htxp://ww.zuowangzhanla.com/down/zhainan/setup_82_21682_.exe/Script1.bin - Ok
htxp://ww.zuowangzhanla.com/down/zhainan/setup_82_21682_.exe/Script2.bin - archive BINARYRES

htxp://ww.zuowangzhanla.com/down/zhainan/setup_82_21682_.exe/Script2.bin/data001 - Ok
htxp://ww.zuowangzhanla.com/down/zhainan/setup_82_21682_.exe/Script2.bin/data002 - Ok
htxp://ww.zuowangzhanla.com/down/zhainan/setup_82_21682_.exe/Script2.bin/data003 - Ok
htxp://ww.zuowangzhanla.com/down/zhainan/setup_82_21682_.exe/Script2.bin - Ok
htxp://ww.zuowangzhanla.com/down/zhainan/setup_82_21682_.exe/0.object - Ok
htxp://ww.zuowangzhanla.com/down/zhainan/setup_82_21682_.exe/Embedded_Setup.exe - Ok
htxp://ww.zuowangzhanla.com/down/zhainan/setup_82_21682_.exe/{app}\My_Tv.exe - Ok
htxp://ww.zuowangzhanla.com/down/zhainan/setup_82_21682_.exe/{tmp}\license.txt - Ok
htxp://ww.zuowangzhanla.com/down/zhainan/setup_82_21682_.exe/{app}\SetupTV.dll - Ok
htxp://ww.zuowangzhanla.com/down/zhainan/setup_82_21682_.exe/{tmp}\ISSkin.dll - Ok
htxp://ww.zuowangzhanla.com/down/zhainan/setup_82_21682_.exe/{tmp}\zhainan.Style - Ok
htxp://ww.zuowangzhanla.com/down/zhainan/setup_82_21682_.exe/{win}\biaozhi.ico - Ok
htxp://ww.zuowangzhanla.com/down/zhainan/setup_82_21682_.exe/{win}\buy.ico - Ok
htxp://ww.zuowangzhanla.com/down/zhainan/setup_82_21682_.exe/{win}\game.ico - Ok
htxp://ww.zuowangzhanla.com/down/zhainan/setup_82_21682_.exe/{win}\girl.ico - Ok
htxp://ww.zuowangzhanla.com/down/zhainan/setup_82_21682_.exe/{win}\heath.ico - Ok
htxp://ww.zuowangzhanla.com/down/zhainan/setup_82_21682_.exe/{win}\ie.ico - Ok
htxp://ww.zuowangzhanla.com/down/zhainan/setup_82_21682_.exe/{win}\ie2.ico - Ok
htxp://ww.zuowangzhanla.com/down/zhainan/setup_82_21682_.exe/{win}\movie.ico - Ok
htxp://ww.zuowangzhanla.com/down/zhainan/setup_82_21682_.exe/{win}\shehu.ico - Ok
htxp://ww.zuowangzhanla.com/down/zhainan/setup_82_21682_.exe/{win}\taobao.ico - Ok
htxp://ww.zuowangzhanla.com/down/zhainan/setup_82_21682_.exe/{win}\tingxs.ico - Ok
htxp://ww.zuowangzhanla.com/down/zhainan/setup_82_21682_.exe/{win}\xiaoyouxi.ico - Ok
htxp://ww.zuowangzhanla.com/down/zhainan/setup_82_21682_.exe/{win}\youxi.ico - Ok
htxp://ww.zuowangzhanla.com/down/zhainan/setup_82_21682_.exe/{win}\zhibo.ico - Ok
htxp://ww.zuowangzhanla.com/down/zhainan/setup_82_21682_.exe/{tmp}\bg1.bmp - Ok
htxp://ww.zuowangzhanla.com/down/zhainan/setup_82_21682_.exe/{tmp}\bg2.bmp - Ok
htxp://ww.zuowangzhanla.com/down/zhainan/setup_82_21682_.exe/{tmp}\browse1.bmp - Ok
htxp://ww.zuowangzhanla.com/down/zhainan/setup_82_21682_.exe/{tmp}\browse2.bmp - Ok
htxp://ww.zuowangzhanla.com/down/zhainan/setup_82_21682_.exe/{tmp}\browse3.bmp - Ok
htxp://ww.zuowangzhanla.com/down/zhainan/setup_82_21682_.exe/{tmp}\close1.bmp - Ok
htxp://ww.zuowangzhanla.com/down/zhainan/setup_82_21682_.exe/{tmp}\close2.bmp - Ok
htxp://ww.zuowangzhanla.com/down/zhainan/setup_82_21682_.exe/{tmp}\close3.bmp - Ok
htxp://ww.zuowangzhanla.com/down/zhainan/setup_82_21682_.exe/{tmp}\editback.bmp - Ok
htxp://ww.zuowangzhanla.com/down/zhainan/setup_82_21682_.exe/{tmp}\Finish1.bmp - Ok
htxp://ww.zuowangzhanla.com/down/zhainan/setup_82_21682_.exe/{tmp}\Finish2.bmp - Ok
htxp://ww.zuowangzhanla.com/down/zhainan/setup_82_21682_.exe/{tmp}\Finish3.bmp - Ok
htxp://ww.zuowangzhanla.com/down/zhainan/setup_82_21682_.exe/{tmp}\Setup1.bmp - Ok
htxp://ww.zuowangzhanla.com/down/zhainan/setup_82_21682_.exe/{tmp}\Setup2.bmp - Ok
htxp://ww.zuowangzhanla.com/down/zhainan/setup_82_21682_.exe/{tmp}\Setup3.bmp - Ok
htxp://ww.zuowangzhanla.com/down/zhainan/setup_82_21682_.exe - Ok

Scan for: htxp://ww.zuowangzhanla.com/
Hostname: ww.zuowangzhanla.com
IP address: 118.122.37.107

System Details:
Running on: nginx/1.0.15
Outdated Web Server Nginx Found: nginx/1.0.15

index
Severity: Suspicious
Reason: Detected suspicious redirection to external web resources at HTTP level.
Details: Detected HTTP redirection to http://ww.zuowangzhanla.com/ → http://www.nictasoft.com/ace/malware-urls/15553189/ → http://support.clean-mx.com/clean-mx/viruses.php?domain=zuowangzhanla.com&sort=id%20DESC
Multiple threats flagged: http://www.scumware.org/report/A60F16A3D871A3AA8249CE01448E7A40.html
File size[byte]: 0
File type: Unknown

polonus
Page/File MD5: 00000000000000000000000000000000
Scan duration[sec]: 0.001000

Eddy · September 30, 2014, 1:07pm

https://www.virusbtn.com/vgrep/index?s=47C#0

polonus · September 30, 2014, 1:49pm

Thanks, Eddy, this explains much about the eventual detection.

polonus

polonus · October 1, 2014, 9:51am

The generic 47C detections keep coming 8 solutions to detect this spam-ad infection:
https://www.virustotal.com/nl/url/9c655386d12c18402dc200e5ec1f71c211ad176100fc3401e31088b7e80a12e0/analysis/1412156721/ & https://www.virustotal.com/nl/file/7ce8c1ac92dfa96f1097d10c0f7a75af70de6078501c023a485d7d3aef26c093/analysis/1412151424/
The latest to add:
Up(nil): Generic.47C APNIC CN anti-spam at ns.chinanet.cn.net 118.122.37.107 to 118.122.37.107 tybests.com htxp://zn.tybests.com/down/zhainan/setup_32_1000_.exe
Up(nil): Generic.47C APNIC CN anti-spam at ns.chinanet.cn.net 118.122.37.107 to 118.122.37.107 tybests.com htxp://zn.tybests.com/down/zhainan/setup_203_3920_.exe
Up(nil): Generic.47C APNIC CN anti-spam at ns.chinanet.cn.net 118.122.37.107 to 118.122.37.107 tybests.com htxp://zn.tybests.com/down/zhainan/pplayer_66_3502_.exe
Up(nil): Generic.47C APNIC CN anti-spam at ns.chinanet.cn.net 118.122.37.107 to 118.122.37.107 tybests.com htxp://zn.tybests.com/down/zhainan/pplayer_4_49167_.exe
Up(nil): Generic.47C APNIC CN anti-spam at ns.chinanet.cn.net 118.122.37.107 to 118.122.37.107 tybests.com htxp://zn.tybests.com/down/zhainan/pplayer_2_4140_.exe
Up(nil): Generic.47C APNIC CN anti-spam at ns.chinanet.cn.net 118.122.37.107 to 118.122.37.107 tybests.com htxp://zn.tybests.com/down/zhainan/L_116_3_.exe
Up(nil): APNIC CN anti-spam at ns.chinanet.cn.net 118.122.37.107 to 118.122.37.107 tybests.com htxp://zn.tybests.com/down/zhainan/H%1C%AD%3Eh_116_901_.exe
Up(nil): Generic.47C APNIC CN anti-spam at ns.chinanet.cn.net 118.122.37.107 to 118.122.37.107 tybests.com htxp://zn.tybests.com/down/zhainan/Gh_116_901_.exe
Up(nil): APNIC CN anti-spam at ns.chinanet.cn.net 118.122.37.107 to 118.122.37.107 tybests.com htxp://zn.tybests.com/down/zhainan/%E6%BF%80%E6%83%85%E7%94%B5%E5%BD%B1%E6%92%AD%E6%94%BE%E5%99%A8_116_999_.exe
Up(nil): Generic.47C APNIC CN anti-spam at ns.chinanet.cn.net 118.122.37.107 to 118.122.37.107 tybests.com htxp://zn.tybests.com/down/zhainan/%E6%BF%80%E6%83%85%E7%94%B5%E5%BD%B1%E4%B8%93%E7%94%A8%E6%92%AD%E6%94%BE%E5%99%A8_185_5293_.exe

polonus

See WakWak search for parameter: http://wakwak.net/search/?q=%25E6%25B7%25B1%25E5%2591%25BC%25E5%2590%25B8%2520%25E6%259C%2589%25E6%259D%2591%25E6%259E%25B6%25E7%25BA%25AF%2520torrent

D

Why avast! does not flag Generic.47C as a PUP?

Announcements