Another

anton.w · July 2008

I have this file and bitdefender didn't detected it

Here is the result from virustotal.com

AntivirusVersionLast UpdateResultAhnLab-V32008.7.11.02008.07.11Win-Trojan/Injecter.50695AntiVir7.8.0.642008.07.11TR/Dldr.Injecter.ZYAuthentium5.1.0.42008.07.11W32/Adware-RegBHO-based.1!MaximusAvast4.8.1195.02008.07.12Win32:Adware-genAVG7.5.0.5162008.07.12Downloader.Generic7.VJIBitDefender7.22008.07.12-CAT-QuickHeal9.502008.07.11TrojanDownloader.Injecter.zyClamAV0.93.12008.07.11Trojan.BHO-3218DrWeb4.44.0.091702008.07.12-eSafe7.0.17.02008.07.10Suspicious FileeTrust-Vet31.6.59492008.07.12Win32/Burgspill!genericEwido4.02008.07.12-F-Prot4.4.4.562008.07.11W32/Adware-RegBHO-based.1!MaximusF-Secure7.60.13501.02008.07.12Trojan-Downloader.Win32.Injecter.zyFortinet3.14.0.02008.07.12PossibleThreatGData2.0.7306.10232008.07.12Trojan-Downloader.Win32.Injecter.zyIkarusT3.1.1.26.02008.07.12Trojan-Dropper.Win32.Delf.ahoKaspersky7.0.0.1252008.07.12Trojan-Downloader.Win32.Injecter.zyMcAfee53372008.07.11-Microsoft1.37042008.07.12Trojan:Win32/Delflob.INOD32v232632008.07.11Win32/Adware.IeDefender.NFXNorman5.80.022008.07.11W32/DLoader.HYCVPanda9.0.0.42008.07.12Trj/Downloader.MDWPrevx1V22008.07.12SuspiciousRising20.52.52.002008.07.12-Sophos4.31.02008.07.12Troj/Agent-HDVSunbelt3.1.1536.12008.07.12Trojan-Downloader.Win32.Injecter.zySymantec102008.07.12-TheHacker6.2.96.3762008.07.10Trojan/Downloader.Injecter.zyTrendMicro8.700.0.10042008.07.11PAK_Generic.001VBA323.12.6.92008.07.12Trojan-Downloader.Win32.Injecter.zyVirusBuster4.5.11.02008.07.12-Webwasher-Gateway6.6.22008.07.11Trojan.Dldr.Injecter.ZYAdditional informationFile size: 50699 bytesMD5...: c4bccf338de0a73214cd292b67ef3d50SHA1..: 35f970bc3f8f2388af308a86aba36202bc1e5644SHA256: 70fa9dc095445231549e1407013638815d0c941841508723f529be20eee3f5e3SHA512: 62170c7f8bbc051290dfcdcc6995dd9ab3a58bba0b2bbe289ac263b916b6bc4f

eb5f2bc8f9666f70be9aa18094631ee093747017b7067c192db4bbab3a142cc1PEiD..: -PEInfo: PE Structure information

( base data )

entrypointaddress.: 0x404b78

timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)

machinetype.......: 0x14c (I386)

( 8 sections )

name viradd virsiz rawdsiz ntrpy md5

CODE 0x1000 0x41c4 0x4200 6.38 fb5fc2ff8cde87b68eea2871327dd985

DATA 0x6000 0xa4 0x200 1.86 b0380652b65dbf4c0051248ae4824e38

BSS 0x7000 0x691 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e

.idata 0x8000 0x5bc 0x600 4.34 937d48fe87087175533f47ffbf73ec92

.tls 0x9000 0x8 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e

.rdata 0xa000 0x18 0x200 0.20 7cd66032ccbad0330bf6fdf8d151d54c

.reloc 0xb000 0x480 0x600 5.56 db739d6325e480d81066feffbc0082ab

.rsrc 0xc000 0x7000 0x7000 7.34 29c0db6ef325a7929e36246b4fd20c76

( 8 imports )

> kernel32.dll: DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, GetThreadLocale, GetStartupInfoA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle

> user32.dll: GetKeyboardType, MessageBoxA, CharNextA

> advapi32.dll: RegQueryValueExA, RegOpenKeyExA, RegCloseKey

> kernel32.dll: TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA

> advapi32.dll: RegSetValueExA, RegQueryValueExA, RegOpenKeyExA, RegCreateKeyExA, RegCloseKey

> kernel32.dll: WriteFile, SizeofResource, SetFilePointer, ReadFile, LockResource, LoadResource, GetSystemDirectoryA, GetLastError, GetFileSize, FindResourceA, CreateFileA, CloseHandle

> gdi32.dll: GetDCBrushColor, GetBkMode, GetBkColor

> shell32.dll: ShellExecuteA

( 0 exports )

Prevx info: http://info.prevx.com/aboutprogramtext.asp...1F6C600E4DF1929packers (F-Prot): UPX

/applications/core/interface/file/attachment.php?id=2449" data-fileid="2449" rel="">Infected.zip

rootkit · July 2008

Thank you for the sample !

The guys from the LAB will take a look

Another

Comments

All Time Leaders

Categories

Defenders of the month