Dear All,

We found some files which is not identified by avast as malware files, but if we upload to the virustotal the results of those files identified as Win32.Banker (eSafe Antivirus).

Virustotal summary results :

http://www.virustotal.com/file-scan/report.html?id=a2fbb3c38fd98f9bce3fc0ed64035b342063f9c765cbe0ec97d48068eb0b7946-1313584873

Then for malware samples i uploaded to mediafire for whose interest to analyze these files, all of you may downloaded from :

http://www.mediafire.com/?wh7jh8h9ige74tp

(Compress password : virus)

Dear All,

Another files that we upload to virustotal identified as Heur Malware and not detected by avast yet.

Please find virustotal summary report : http://www.virustotal.com/file-scan/report.html?id=9b931f1c298d67a23d1b34622856bf18457f84dbd0313825859a4d7d40f9308d-1267075714

There is a more up to date report:
http://www.virustotal.com/file-scan/report.html?id=9b931f1c298d67a23d1b34622856bf18457f84dbd0313825859a4d7d40f9308d-1321514879

in your report…AVIRA detected it…but in the latest report avira seems to have removed the detection…IT SEEMS LIKE FALSE POSITIVE…it may not be malware…

Anyway,
Send the password protected sample to virus@avast.com

Send the password protected sample to virus@avast.com

Hello,
file with sha 256 = 9B931F1C298D67A23D1B34622856BF18457F84DBD0313825859A4D7D40F9308D is only patched notepad with added section, which is filled with zeros.

File with sha 256 = A2FBB3C38FD98F9BCE3FC0ED64035B342063F9C765CBE0EC97D48068EB0B7946 has only added zeros to end of file (also notepad).

Milos

Thanks! for the confirmation milos i had my own doubts about those samples[thats why sent a PM to u]…good to know they arent malware ;D

Hello,
thank you for archive, but most of the files are same inside, there are 7 different files, all files are patched notepad, I will look on them.

Milos

Hi Milos,

Thanks for your prompt respond,

I got this samples from the customer NAS HDD, since they mentioned to me at yesterday that after installed with Avast on their network detected a lot of malware such as : sality, stuxnet and Kalacha.

Today i will go to their office again, and analysis also scanning for each their user PC one by one.

Please kindly update for your analysis…

Hi Milos,

According to avast antivirus detection those uploaded files identified as Win32:Kukacka which is this kind of malware trying to transformed file became .exe format and infected file system and disable security applications.

But avast antivirus can’t clean those files.

Please kindly advice…

This search query gives some interesting results about the problem behind this issue:
http://www.google.nl/search?gcx=w&ix=c2&sourceid=chrome&ie=UTF-8&q=410b1ea84e88431f6d2bbe1ddfb07d9f

And it stems from 2010 where it is not clear it is a FP or real 100% malware: http://r.virscan.org/1cc7ba5153ae0411672a256951d7d85f

The dll error fix can be found here: http://www.system-file.net/file/4DF7A270.VBN.html
Untitled Notepad being created in a new window: http://www.threatexpert.com/report.aspx?md5=410b1ea84e88431f6d2bbe1ddfb07d9f (16 April 2009)

polonus

Hi Polonus,

Thanks for your summary result, anyway i have tried to delete whole notepad file in .exe format but those files still listed on our customer NAS HDD. Beside in notepad.exe format, also listed on DOS command format.

Each time we open to the folder which is contains those files, avast always give notification that those files infected “Win32:Patched-ACI [Trj] or Win32.Banker”

I am not sure whether those files came from another users from network or their NAS HDD still infected with those kinds malware?

Hi Yanto Chiang,

If they haven’t been updating and patched against this vulnerability, they can easily be reinfected. The hole has been there since 2009 as you have read from the links in my post,

polonus