Hi forum friends,

See: http://siteinspector.comodo.com/public/reports/682241
And see here: http://vscan.urlvoid.com/analysis/8c81cff03cbc2db7f81bfa6ffdf38a57/aGFmaWYtZXhl/
(avast does not detect TR/Dropper.Gen here nor avas shield blocks it, only WOT flags the site),
but site is malware site according to:
http://www.virustotal.com/url-scan/report.html?id=c39a7ff8d0ba4bf867eacc9cd5dce7a1-1322146665
Anubis analysis: http://anubis.iseclab.org/?action=result&task_id=160da372f85c20b4401c54b6ad92f7117
and http://urlquery.net/report.php?id=9580

As the file installs a MSI installer it could be a trojan downloader or at least a PUP,
site is on a missused server at 8.5.1.32 - a nuseek parked site according to Phishing tracker report and from the code on the urlquery dot net report for mentioned site…may infect with Bifrose,

polonus

polonus

VirusTotal - 1/43
http://www.virustotal.com/file-scan/report.html?id=1a2ddda609e72159a501fc590d3c29ce7213f179fe2a88864ac6893d6b58f0e2-1322154179

also the file is not an .exe but a HTML document text

First seen: 2011-11-24 17:02:59
Last seen : 2011-11-24 17:02:59

sigcheck:
publisher…: n/a
copyright…: n/a
product…: n/a
description…: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments…: n/a
signers…: -
signing date.: -
verified…: Unsigned

Hi Pondus,

Thanks for the scan info. This has typical generic characteristics of an autorun trojan, because in the anubis analysis for reg.value name read we have for instance:
{FF393560-C2A7-11CF-BFF4-444553540000} {062E1261-A60E-11D0-82C2-00C04FD5AE38} 0x401

Good SAS detects it as does the urlQuery scan. I found the detection migration at VirusWatch. That was why I scanned it against avast detection. Alas, so far in vain,

polonus