Undetected Sample

alexcrist
alexcrist
in Malware talk

Hello,


I got these samples from a friend. When you run Setup.exe, it will create an autorun.inf file in every partition root and it will copy Setup.exe in the System32 folder.


It is currently not detected by any AV product (tested on virustotal.com)


Password: infected


Cris.

/applications/core/interface/file/attachment.php?id=830" data-fileid="830" rel="">autorun.zip

Comments

  • Cd-MaN
    Cd-MaN

    Unfortunately it seems that this is the wrong setup.exe because it doesn't contain any code to do the described behavior.

  • alexcrist
    alexcrist

    Hi Cd-Man,


    Ok, it seems that I got the wrong file. Now I've checked on my PC and I see that I also have this Setup.exe in System32. Is it an important system file? Because I told my friend to delete it...


    And where else should I look for the setup.exe which is launched by autorun.inf?


    Another file that was suspicious on my friend's PC was a rundl123.exe, located in C:\Windows\Uninstall. This file was also in the StartUp list. Unfortunately, when I wanted to attach it, I noticed that the file is empty... 0 bytes in size (there must have been an error when I archived it :( )


    Cris.

  • Cd-MaN
    Cd-MaN

    Sorry for the big delay but I got really busy. The forum software is acting up again, so I can't download the original zip file, but most probably the setup.exe is located in the root folder (ie C:\), possibly with the hidden / system bits set.


    If Windows complains about the missing setup exe, it can always be restored from the Windows installation disk.


    Best regards.

All Time Leaders

Categories

Defenders of the month