Audioman_exe New Malware !

Crem
Crem
in Malware talk

Here is new malware that BitDefender cannot dectect to now. This malware attach another malware which be dectected with name : Generic.GrayBird to resource. So when malware is activated, it create services.exe in Windows\system, Explorer.sm1 in System32 and services.exe only run when computer is restarted. Then msinfo.exe is created in System32 dir, taskmgr.exe is created in Windows dir. They have name Generic.GrayBird but i don't understand why BitDefender cannot detect them when they are activated and request connect to internet :(


Here is sample. Pass : infected

/applications/core/interface/file/attachment.php?id=833" data-fileid="833" rel="">AudioMan_EXE.rar

Comments

  • Cd-MaN
    Cd-MaN

    Hello. The attached file will be detected as Backdoor.Hupigon.FBA and the dropped files are already detected as Generic.Graybird as you know (with the exception for Explorer.sm1, which seems to be log file of some sorts).


    As for BD not being able to block it, I'm not exactly sure what you mean, since if the files are detected, the on-access scanner should block them on execution and prevent them from being active.


    Best regards.

  • Crem
    Crem

    Hi Cd-MaN. Thanks for your update !


    But i don't agree with you about file Explorer.sm1, it is not log file of some sorts. If you analysed carefully, you will see that : When sxs infect to computer, i will create :


    HKEY_CLASSES_ROOT\.sm1


    @ = "sm1_Auto_File"


    HKEY_CLASSES_ROOT\sm1_Auto_File\shell\open\command


    @ = "C:\WINDOWS\System\services.exe" "%1"


    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run


    AudioMan = "C:\WINDOWS\System32\Explorer.sm1"


    Very ligthly, when Windows is loged on, file Explorer.sm1 will opened and execute file services.exe. So file Explorer.sm1 is file to start file malware.


    I have small question, file msinfo.exe which file attached in file sxs.exe were detected by other verdor with naming convention is Backdoor.Hupigon.FBA while BitDefender detected it with name Generic.GrayBird. To now, file sxs.exe is also detected by Kaspersky with name Backdoor.Hupigon and BitDefender does as. Why is it ?


    Best Regard :)


    Crem !

  • Crem
    Crem
    edited October 2007

    Here is other variant of this malware family which BitDefender detected succesfully with name : Generic.GrayBird (on 25/9/2007)


    68654729uw0.jpg


    79629195sc2.jpg

  • Cd-MaN
    Cd-MaN

    Hupigon and Graybird are actually one and the same (or to be more precise: Graybird is a subset of the Hupigon family - at least in our naming convention, other vendors may differ), so the two names are used interchangeably.


    Best regards.

  • Crem
    Crem

    Oki, Cd-MaN. But about file Explorer.sm1 :(. I think this file should be deleted.


    Ah ! May you tell me about the way to put naming convention ! Why in other vendors but i see that many malware have same naming convention :). What is it based on ?

  • Cd-MaN
    Cd-MaN

    The naming convention is more an ad-hoc thing in the sense that if during the signing process a file is not detected by other vendors, it will be named by the given researcher (unless it is part of a known family). If the sample is already detected by others and the detection name is considered appropriate, it will be used so that clients hopefully can identify the same detection across multiple vendors.

  • Crem
    Crem

    Thanks Cd-MaN for taking time to explain it to me :)


    I really appreciate.


    Crem

All Time Leaders

Categories

Defenders of the month