system
June 17, 2010, 2:48pm
1
Avast! just notified me that it blocked Win32:Xocr[Drp] running as svchost.exe and moved the file to the chest. Upon further investigation, I noticed that this was found in my temp directory.
I cannot seem to find a description of what this virus/malware is and what it does? Does anyone know?
that detection seems to have been added today in 100617-0
http://www.avast.com/virus-update-history
If you upload the file to www.virustotal.com (seems to be down at the moment) or www.virscan.org
than you can search on the different names given/detected, and you may find the info you are looking for at one of the antivirus vendors detecting it ?
I am guessing that the ending [Drp] is short for Dropper…
Dropper = http://en.wikipedia.org/wiki/Dropper
What is a dropper? (Computer virus)
http://stason.org/TULARC/security/computer-virus-l/22-What-is-a-dropper-Computer-virus.html
DavidR
June 17, 2010, 4:20pm
3
Personally I don’t worry a great deal about what the description of a virus/malware is just that it has been detected and this one does seem based on the file name and location in temp to be a good detection.
The problem with searching on a malware name is that there is no standardisation or naming convention, so there are likely to be many different aliases as virustotal often shows multiple different malware names for the same detection.
system
June 17, 2010, 6:13pm
4
I uploaded the file to virscan.org and it reported the following:
VirSCAN.org Scanned Report :
Scanned time : 2010/06/17 13:07:02 (CDT)
Scanner results: 61% Scanner(s) (22/36) found malware!
File Name : svchost.exe
File Size : 40448 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 1dee5f41b4414bc44c7c76d565ea6979
SHA1 : dc3db973d41dd997a0236055a02fe46ad6600051
Online report : http://virscan.org/report/311a354f1da842e65a0626ab8ae46714.html
Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.0.0.11 20100617053131 2010-06-17 5.32 Trojan-Dropper.Win32.Drooptroop!IK
AhnLab V3 2010.06.18.00 2010.06.18 2010-06-18 3.34 Dropper/Agent.40448.CO
AntiVir 8.2.2.6 7.10.8.122 2010-06-17 0.26 TR/Drop.Drooptroop.cpt.7
Antiy 2.0.18 20100617.4767071 2010-06-17 0.02 -
Arcavir 2009 201006171330 2010-06-17 0.04 -
Authentium 5.1.1 201006171114 2010-06-17 1.29 -
AVAST! 4.7.4 100617-1 2010-06-17 0.00 Win32:Xocr [Drp]
AVG 8.5.793 271.1.1/2944 2010-06-17 0.22 Dropper.Generic_c.IDF
BitDefender 7.90123.6199739 7.32270 2010-06-18 3.97 Gen:Variant.Kates.2
ClamAV 0.96.1 11207 2010-06-18 0.01 Trojan.Agent-165229
Comodo 3.13.579 5133 2010-06-17 0.85 TrojWare.Win32.Trojan.Agent.Gen
CP Secure 1.3.0.5 2010.06.18 2010-06-18 0.05 -
Dr.Web 5.0.2.3300 2010.06.18 2010-06-18 8.01 Trojan.Hottrend.14
F-Prot 4.4.4.56 20100616 2010-06-16 1.32 -
F-Secure 7.02.73807 2010.06.17.04 2010-06-17 0.12 Trojan-Dropper.Win32.Drooptroop.cpt [AVP]
Fortinet 4.1.133 12.61 2010-06-17 0.19 -
GData 21.367/21.129 20100617 2010-06-17 7.10 Trojan-Dropper.Win32.Drooptroop.cpt [Engine:A]
ViRobot 20100617 2010.06.17 2010-06-17 0.36 -
Ikarus T3.1.01.84 2010.06.17.76086 2010-06-17 6.76 Trojan-Dropper.Win32.Drooptroop
JiangMin 13.0.900 2010.06.15 2010-06-15 1.19 -
Kaspersky 5.5.10 2010.06.17 2010-06-17 0.08 Trojan-Dropper.Win32.Drooptroop.cpt
KingSoft 2009.2.5.15 2010.6.16.19 2010-06-16 0.62 -
McAfee 5400.1158 6016 2010-06-17 17.15 BackDoor-DKI.gen.cm
Microsoft 1.5902 2010.06.17 2010-06-17 7.30 Trojan:Win32/Bamital.E
Norman 6.04.12 6.04.00 2010-06-16 6.01 W32/Suspicious_Gen2.BDFNL
Panda 9.05.01 2010.06.17 2010-06-17 1.68 Spyware/Virtumonde
Trend Micro 9.120-1004 7.250.11 2010-06-17 0.00 -
Quick Heal 10.00 2010.06.17 2010-06-17 1.51 TrojanDropper.Drooptroop.cpt
Rising 20.0 22.52.03.04 2010-06-17 1.21 -
Sophos 3.07.1 4.54 2010-06-18 3.55 Mal/Bamital-A
Sunbelt 3.9.2424.2 6462 2010-06-17 8.26 Trojan.Win32.Bamital.G (v)
Symantec 1.3.0.24 20100615.005 2010-06-15 0.29 -
nProtect 20100617.01 8664731 2010-06-17 8.38 Gen:Variant.Kates.2
The Hacker 6.5.2.0 v00300 2010-06-17 0.33 -
VBA32 3.12.12.5 20100617.1316 2010-06-17 2.70 -
VirusBuster 4.5.11.10 10.126.88/2006630 2010-06-17 2.31 Trojan.Drooptroop.Gen.5
Glad AVAST! found the issue, but without a definition, how am I to know what potentially was compromised with my system (if any)?
system
June 17, 2010, 7:54pm
6
Thanks everyone. I believe that AVAST caught this one just in-time. It wasn’t there yesterday, but it found it today. I hate to think that someone was capturing my keystrokes.
check your computer for malware with
Malwarebytes Anti-Malware 1.46 http://filehippo.com/download_malwarebytes_anti_malware/
after install click update so you have latest database before scan
run quick scan and click on the remove selected button to quarantine anything found
post the scan log here
system
June 18, 2010, 3:28am
8
I installed Malwarebytes’ Anti-Malware and ran it. Here are the scan results:
Malwarebytes’ Anti-Malware 1.46
www.malwarebytes.org
Database version: 4211
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
6/17/2010 10:11:48 PM
mbam-log-2010-06-17 (22-11-48).txt
Scan type: Quick scan
Objects scanned: 131040
Time elapsed: 6 minute(s), 49 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)