Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New Worm/Malware Surfacing


  • Please log in to reply
No replies to this topic

#1 ZoomerX

ZoomerX

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:51 PM

Posted 08 December 2009 - 11:06 PM

A new infection is surfacing via many torrent sites, with both legitimate and pirated wares. The file, multifiledownload.exe or multifiledownloader.exe is "required" to download files hosted by a specific site. This file is a fraudulant file that creates a dll which disables most anti-virus, and anti-malware programs, as well as closes any window that happens to contain a virus related string in the title bar. It also shuts down rkill, and prevents installation of most anti-virus programs, and most anti-malware programs (including MalwareBytes). The infection is only detected by 9 of the 40 leading anti-virus programs. I have managed to counter this infection with a program from SimplySup.com, called Trojan Remover. This is the only program it permitted me to install. More information will be posted as it becomes available.

Below is the annalysis from VirusTotal.com:

Virustotal is a service that analyzes suspicious files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines. More information...

File dbbdfaddcdecf.dll received on 2009.12.09 03:41:01 (UTC)



Result: 9/40 (22.5%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 40 and 57 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email:


Antivirus Version Last Update Result
a-squared 4.5.0.43 2009.12.09 -
AhnLab-V3 5.0.0.2 2009.12.09 -
AntiVir 7.9.1.102 2009.12.08 -
Antiy-AVL 2.0.3.7 2009.12.09 -
Authentium 5.2.0.5 2009.12.02 W32/AutoRun.I.gen!Eldorado
Avast 4.8.1351.0 2009.12.08 Win32:Malware-gen
AVG 8.5.0.426 2009.12.08 -
BitDefender 7.2 2009.12.09 -
CAT-QuickHeal 10.00 2009.12.08 -
ClamAV 0.94.1 2009.12.09 -
Comodo 3103 2009.12.01 Worm.Win32.Autorun.fh0
DrWeb 5.0.0.12182 2009.12.09 -
eSafe 7.0.17.0 2009.12.08 -
eTrust-Vet 35.1.7165 2009.12.08 -
F-Prot 4.5.1.85 2009.12.08 W32/AutoRun.I.gen!Eldorado
F-Secure 9.0.15370.0 2009.12.07 -
Fortinet 4.0.14.0 2009.12.08 -
GData 19 2009.12.09 Win32:Malware-gen
Ikarus T3.1.1.74.0 2009.12.09 -
Jiangmin 13.0.900 2009.12.02 -
K7AntiVirus 7.10.915 2009.12.08 -
Kaspersky 7.0.0.125 2009.12.09 -
McAfee 5826 2009.12.08 W32/Autorun.worm.fh
McAfee+Artemis 5826 2009.12.08 W32/Autorun.worm.fh
McAfee-GW-Edition 6.8.5 2009.12.09 -
Microsoft 1.5302 2009.12.09 Worm:Win32/Swimnag.gen!A.dll
NOD32 4671 2009.12.08 -
Norman 6.03.02 2009.12.08 -
nProtect 2009.1.8.0 2009.12.08 -
Panda 10.0.2.2 2009.12.08 -
PCTools 7.0.3.5 2009.12.09 -
Rising 22.25.02.01 2009.12.09 -
Sophos 4.48.0 2009.12.09 W32/Autorun-AWK
Sunbelt 3.2.1858.2 2009.12.09 -
Symantec 1.4.4.12 2009.12.09 -
TheHacker 6.5.0.2.088 2009.12.07 -
TrendMicro 9.100.0.1001 2009.12.08 -
VBA32 3.12.12.0 2009.12.08 -
ViRobot 2009.12.9.2077 2009.12.09 -
VirusBuster 5.0.21.0 2009.12.08 -
Additional information
File size: 315407 bytes
MD5...: cdbef143522fb8240f6f509cc6e2bd07
SHA1..: db8ade852fe9684770c6142c449adda7c0731790
SHA256: c3e195f2678082ba6f441e24a3b35ba05187f7dd07db2d6218d5c20ff3ae81c9
ssdeep: 6144:Y62uYGM38JtiBoAPOwKubG4HADHNIdC7TdGqUAD5J:Y62uYt+ti4/QWHNId
sT4BAD5J

PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x115ba
timedatestamp.....: 0x4b0ac210 (Mon Nov 23 17:10:40 2009)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x12007 0x12200 6.00 61a36309f070b52eab3b39ba39f229bf
.rdata 0x14000 0x53b7 0x5400 6.38 cbe29a7b068947706a8d42ed5a198eee
.data 0x1a000 0x990 0xa00 4.14 bef462ca6c8e145c612092cef8591641
.rsrc 0x1b000 0x34000 0x33600 8.00 f8ab750fa42dbd18352f550592e51180
.reloc 0x4f000 0x14d2 0x1600 5.88 d41528681e4f9b09dfa5630be80e01e8

( 8 imports )
> KERNEL32.dll: lstrcmpiW, GetDriveTypeW, WinExec, SetEvent, GetLastError, LocalFree, lstrcpyW, LocalAlloc, FormatMessageW, CreateFileW, ReadFile, WriteFile, GetFileSize, MoveFileExW, GetFileAttributesW, DeleteFileW, lstrcpynW, SetFileAttributesW, SizeofResource, LockResource, LoadResource, FindResourceExW, lstrcmpW, GetComputerNameW, GetLocalTime, GetModuleFileNameW, GetSystemDirectoryW, WideCharToMultiByte, MultiByteToWideChar, GetTempPathW, GetVersionExW, GetLogicalDriveStringsW, DisableThreadLibraryCalls, Sleep, CreateThread, CreateEventW, WaitForSingleObject, CancelWaitableTimer, CreateWaitableTimerW, SetWaitableTimer, OpenProcess, TerminateProcess, CloseHandle, lstrlenA, lstrlenW
> USER32.dll: EnumWindowStationsW, wsprintfA, wsprintfW, GetWindowThreadProcessId, OpenDesktopW, EnumDesktopWindows, GetWindowTextLengthW, CloseDesktop, OpenWindowStationW, GetWindowTextW, EnumDesktopsW
> ADVAPI32.dll: RegQueryValueExW, RegQueryValueExA, RegSetValueExW, RegSetValueExA, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW
> WININET.dll: InternetCloseHandle, InternetCrackUrlW, InternetConnectW, HttpSendRequestW, HttpOpenRequestW, InternetReadFile, HttpQueryInfoW, InternetOpenW
> SHLWAPI.dll: StrStrW, StrRChrW, StrStrIW, StrChrW, StrToIntW
> PSAPI.DLL: GetModuleBaseNameW
> MSVCRT.dll: _adjust_fdiv, malloc, _initterm, free, __1type_info@@UAE@XZ, _onexit, __dllonexit, _CxxThrowException, strlen, strchr, memset, __2@YAPAXI@Z, __CxxFrameHandler, __3@YAXPAX@Z, _lrotl, _lrotr, memcpy
> MSVCP60.dll: _append@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEAAV12@ID@Z, _assign@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z, _find@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QBEIPBDII@Z, _npos@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@2IB, _erase@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEAAV12@II@Z, _append@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEAAV12@PBDI@Z, __0_Lockit@std@@QAE@XZ, __1_Lockit@std@@QAE@XZ, __Tidy@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@AAEX_N@Z, _assign@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEAAV12@PBDI@Z, __C@_1___Nullstr@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@CAPBDXZ@4DB, __1_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAE@XZ

( 3 exports )
fix, g, lk

RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users