| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 117365 | 2011-04-15 04:13:00 | Malware or Virus? It doesn't get detected by either? | Chilling_Silence (9) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 1194769 | 2011-04-15 04:13:00 | Hi all, Found this on a machine today. Turns out it threw itself in the Startup folder of a user, and it's been sending random stuff out onto the internet for the last few days. It's all going to what appears to be a shared hosting site, but the domain it's going to is setup.ivelog. com/setup.asp (The space is deliberate) It's phoning home every 30-45 seconds on a random port from around 1026 to 5000. I've made a .rar file with the contents (in Program Files\MP4 Player), thought a few others here might like to have a play and try and run it through some programs to see if it gets picked up. NOD32, McAfee, Malwarebytes, all missed it.... Anyway, the password is "iunderstandwhatimdoing", coz I take no responsibility for the fact it *could* shred your PC to pieces... www.mediafire.com Anybody able to detect what it is, and what it's doing? |
Chilling_Silence (9) | ||
| 1194770 | 2011-04-15 04:22:00 | NOD32 passed it. Counterspy said: Adware.Win32.Ivelog.A (fs) Risk level: Moderate Risk category: Adware (General) Advice: This is a moderate risk and should be removed or quarantined as it may negatively impact your privacy and security or make unwanted changes to your computer's settings. |
pctek (84) | ||
| 1194771 | 2011-04-15 09:39:00 | Clamscan passed it. | mikebartnz (21) | ||
| 1194772 | 2011-04-15 10:13:00 | Seems quite old... From VirusTotal - Date first seen: 2008-11-10 17:02:16 (UTC) www.virustotal.com f932b06cf3dcab61499c9198b0414-1302858340 |
Agent_24 (57) | ||
| 1194773 | 2011-04-15 10:20:00 | CAMAS analysis: camas.comodo.com 2b06cf3dcab61499c9198b0414 Weird. |
Agent_24 (57) | ||
| 1194774 | 2011-04-15 12:26:00 | I submitted it as a sample in Security Essentials (drop down next to Help in the upper right corner or using the website (www.microsoft.com)). An analyst got back to me very quickly, but it was because I had forgotten to provide the password Chilling put on the file! Oops. I'll let you know the result I hear back. For anyone that's really into testing it could be fun to look at Mark Russinovich's approach to analysing Stuxnet. I'm too tired though tonight ... bed time! blogs.technet.com cheers W |
waldok (15185) | ||
| 1194775 | 2011-04-15 12:35:00 | Yeah it's kinda odd that so much misses it, even NOD32 with their "Heuristic scanning". The fact it starts on port 1026 and goes up one port every 30-odd seconds ... | Chilling_Silence (9) | ||
| 1194776 | 2011-04-15 12:40:00 | You'd think dating from 2008 or older, it would be detected. | Agent_24 (57) | ||
| 1194777 | 2011-04-15 13:20:00 | True, that too, it's not like they haven't had time to analyze it :D | Chilling_Silence (9) | ||
| 1194778 | 2011-04-15 13:41:00 | The fact it starts on port 1026 and goes up one port every 30-odd seconds ... I think that's pretty standard behavior for the Windows network stack when any process (or maybe a particular class of process) wants an outbound connection. IIRC it starts at 1026 and allocates the next free one. If the last is still open when your beastie requests a new one, it will get the next in line. It's been a while since I looked at such things (and have no Win handy to check) so I could well be wrong,but I've definitely seen this behaviour before and recall it turning out to be benign. |
fred_fish (15241) | ||
| 1 2 | |||||