Overblog
Editer l'article Suivre ce blog Administration + Créer mon blog
9 novembre 2011 3 09 /11 /novembre /2011 01:32

 

This malware did succeed to install itself on the following configuration:

- Win7 64 bits, fully-patched

- KAV 2011

- user account not administrator (account switch using UAC)

- Opera 11.52 up-to-date

I was just surfing... Therefore I do believe it is a kindda drive-by-download.

 

Once installed, it will:

- kill all programs running (yes!), including a lot of services (sometimes KAV's service too)

- prevent you from launching new/other programs

- display a fake shield within the taskbar...

 

 Here is how it starts itself at the beginning of the user's session:  

registre_HKU_privacy.exe.jpg

 The Sysinternals tool "autoruns" does not show it, AFAIK.

 

According to VirusTotal, only 3 AV engines out of 43 (command line versions) do detect it !

(link: http://www.virustotal.com/file-scan/report.html?id=c6d83ab1348c548b7581153100b8b7eb7c1b89b3e753151594828c2ac78f2c12-1320798644# )

 

Kaspersky Antivirus 2011 does not detect anything. 

MalwareByte does detect something, but the problem is you can't start it once the malware is being run...

 

MBAM_privacy.exe_091111.png

 

 

As you can see, the malware stores a file in %appdata%, so that's the Appdata\roaming for the current user.

 

One hour after my first scan, VT says 3 new engines detect it:

Antivirus Version Last Update Result
AhnLab-V3 2011.11.08.01 2011.11.08 -
AntiVir 7.11.17.87 2011.11.08 -
Antiy-AVL 2.0.3.7 2011.11.08 -
Avast 6.0.1289.0 2011.11.08 -
AVG 10.0.0.1190 2011.11.08 -
BitDefender 7.2 2011.11.09 -
ByteHero 1.0.0.1 2011.11.04 -
CAT-QuickHeal 11.00 2011.11.08 -
ClamAV 0.97.3.0 2011.11.08 -
Commtouch 5.3.2.6 2011.11.08 -
Comodo 10714 2011.11.08 -
DrWeb 5.0.2.03300 2011.11.09 -
Emsisoft 5.1.0.11 2011.11.09 Trojan.Win32.Agent.AMN!A2
eSafe 7.0.17.0 2011.11.08 -
eTrust-Vet 36.1.8663 2011.11.08 -
F-Prot 4.6.5.141 2011.11.08 -
F-Secure 9.0.16440.0 2011.11.09 -
Fortinet 4.3.370.0 2011.11.08 -
GData 22 2011.11.09 -
Ikarus T3.1.1.109.0 2011.11.08 -
Jiangmin 13.0.900 2011.11.08 -
K7AntiVirus 9.117.5413 2011.11.08 -
Kaspersky 9.0.0.837 2011.11.09 -
McAfee 5.400.0.1158 2011.11.09 Artemis!61E2511F79EF
McAfee-GW-Edition 2010.1D 2011.11.08 Artemis!61E2511F79EF
Microsoft 1.7801 2011.11.08 -
NOD32 6612 2011.11.08 a variant of Win32/Kryptik.SES
Norman 6.07.13 2011.11.08 W32/Krypt.BD
nProtect 2011-11-08.01 2011.11.08 -
Panda 10.0.3.5 2011.11.08 -
PCTools 8.0.0.5 2011.11.09 -
Prevx 3.0 2011.11.09 -
Rising 23.83.01.01 2011.11.08 -
Sophos 4.71.0 2011.11.09 Mal/FakeAV-PG
SUPERAntiSpyware 4.40.0.1006 2011.11.09 -
Symantec 20111.2.0.82 2011.11.09 -
TheHacker 6.7.0.1.339 2011.11.08 -
TrendMicro 9.500.0.1008 2011.11.08 -
TrendMicro-HouseCall 9.500.0.1008 2011.11.09 -
VBA32 3.12.16.4 2011.11.08 -
VIPRE 11001 2011.11.09 -
ViRobot 2011.11.8.4761 2011.11.08 -
VirusBuster 14.1.53.1 2011.11.08 -
Additional information
Show all
MD5 : 61e2511f79ef738d73d766c0ab8c8c1a

 

Most of these detections are heuristic/generic ones!

I've submitted a sample to ClamAV.

 

About the file:

fichier_proprietes_091111.jpg 

There even is a Copyright for it...  

 

Partager cet article

Repost0

commentaires