Nueva variante de FAKE TOOL WIN DISK, Dropper, Scanner y DLL, aun poco controlado por los AV actuales:

Una nueva variante de estas falsas herramientas de Diagnostico de Disco Duro y que van apareciendo al mismo tiempo que Falsos Antivirus (FAKE ALERTS), es esta que pasamos a controlar en su totalidad (Dropper, Scanner y DLL de avisos) con el ELISTARA de hoy, 22.62

El preanalisis del dropper muestra todavia que es poco controlado actualmente (solo 19 de 43 AV)

File name: GkFXkqPHJQ.exe.vir
Submission date: 2011-02-16 08:08:00 (UTC)

Result: 19/ 43 (44.2%)
VT Community

malware
Safety score: 0.0%
Compact Print results Antivirus Version Last Update Result
AhnLab-V3 2011.02.14.02 2011.02.14 Trojan/Win32.FakeAV
AntiVir 7.11.3.93 2011.02.15 TR/Crypt.XPACK.Gen
Antiy-AVL 2.0.3.7 2011.02.15 –
Avast 4.8.1351.0 2011.02.16 –
Avast5 5.0.677.0 2011.02.16 Win32:FakeSysdef-CS
AVG 10.0.0.1190 2011.02.16 Generic21.HYD
BitDefender 7.2 2011.02.16 Gen:Variant.Kazy.12256
CAT-QuickHeal 11.00 2011.02.16 –
ClamAV 0.96.4.0 2011.02.16 –
Commtouch 5.2.11.5 2011.02.16 –
Comodo 7705 2011.02.16 –
DrWeb 5.0.2.03300 2011.02.16 Trojan.DownLoader1.48779
Emsisoft 5.1.0.2 2011.02.16 Trojan.Crypt!IK
eSafe 7.0.17.0 2011.02.15 –
eTrust-Vet 36.1.8161 2011.02.15 –
F-Prot 4.6.2.117 2011.02.15 –
F-Secure 9.0.16160.0 2011.02.16 Gen:Variant.Kazy.12256
Fortinet 4.2.254.0 2011.02.16 –
GData 21 2011.02.16 Gen:Variant.Kazy.12256
Ikarus T3.1.1.97.0 2011.02.16 Trojan.Crypt
Jiangmin 13.0.900 2011.02.16 –
K7AntiVirus 9.85.3859 2011.02.15 –
Kaspersky 7.0.0.125 2011.02.16 Trojan.Win32.FakeAV.aimc
McAfee 5.400.0.1158 2011.02.16 Generic FakeAlert!mr
McAfee-GW-Edition 2010.1C 2011.02.16 Artemis!B1EA8C5F6D11
Microsoft 1.6502 2011.02.16 Trojan:Win32/FakeSysdef
NOD32 5878 2011.02.15 a variant of Win32/Kryptik.KRP
Norman 6.07.03 2011.02.15 –
nProtect 2011-02-10.01 2011.02.15 –
Panda 10.0.3.5 2011.02.15 –
PCTools 7.0.3.5 2011.02.16 –
Prevx 3.0 2011.02.16 Medium Risk Malware
Rising 23.45.01.06 2011.02.15 –
Sophos 4.61.0 2011.02.16 Mal/FakeAV-IK
SUPERAntiSpyware 4.40.0.1006 2011.02.16 Trojan.Agent/Gen-FraudWare
Symantec 20101.3.0.103 2011.02.16 –
TheHacker 6.7.0.1.131 2011.02.15 –
TrendMicro 9.200.0.1012 2011.02.16 –
TrendMicro-HouseCall 9.200.0.1012 2011.02.15 –
VBA32 3.12.14.3 2011.02.15 –
VIPRE 8436 2011.02.16 Trojan.Win32.Generic.pak!cobra
ViRobot 2011.2.16.4312 2011.02.16 –
VirusBuster 13.6.202.1 2011.02.15 –
Additional informationShow all
MD5   : b1ea8c5f6d1181a1993759dd68e462df
SHA1  : 0419a1306558a4907c8fb8fa2248ae1835bed352
File size : 466432 bytes
publisher….: imgs
copyright….: (c) imgs software
product……: imgs
description..: imgs
original name: imgs
internal name: imgs
file version.: 10.414.468.475

y el preanalisis del escaneador:

File name: Pp0cx8tfqHs.exe.vir
Submission date: 2011-02-16 08:04:18 (UTC)
Result: 16/ 43 (37.2%)
VT Community

malware
Safety score: 0.0%
Compact Print results Antivirus Version Last Update Result
AhnLab-V3 2011.02.14.02 2011.02.14 –
AntiVir 7.11.3.93 2011.02.15 TR/FakeSysdef.B
Antiy-AVL 2.0.3.7 2011.02.15 –
Avast 4.8.1351.0 2011.02.16 –
Avast5 5.0.677.0 2011.02.16 Win32:FakeSysdef-CS
AVG 10.0.0.1190 2011.02.16 Generic21.HYH
BitDefender 7.2 2011.02.16 –
CAT-QuickHeal 11.00 2011.02.16 –
ClamAV 0.96.4.0 2011.02.16 –
Commtouch 5.2.11.5 2011.02.16 –
Comodo 7705 2011.02.16 TrojWare.Win32.FraudTool.FakeScan.~kwa
DrWeb 5.0.2.03300 2011.02.16 Trojan.Fakealert.20063
Emsisoft 5.1.0.2 2011.02.16 Trojan.FakeSysdef!IK
eSafe 7.0.17.0 2011.02.15 –
eTrust-Vet 36.1.8161 2011.02.15 –
F-Prot 4.6.2.117 2011.02.15 –
F-Secure 9.0.16160.0 2011.02.16 –
Fortinet 4.2.254.0 2011.02.16 –
GData 21 2011.02.16 –
Ikarus T3.1.1.97.0 2011.02.16 Trojan.FakeSysdef
Jiangmin 13.0.900 2011.02.16 –
K7AntiVirus 9.85.3859 2011.02.15 –
Kaspersky 7.0.0.125 2011.02.16 –
McAfee 5.400.0.1158 2011.02.16 Generic FakeAlert!mr
McAfee-GW-Edition 2010.1C 2011.02.16 Artemis!33D142FD2CB0
Microsoft 1.6502 2011.02.16 Trojan:Win32/FakeSysdef
NOD32 5878 2011.02.15 a variant of Win32/Kryptik.KRP
Norman 6.07.03 2011.02.15 –
nProtect 2011-02-10.01 2011.02.15 –
Panda 10.0.3.5 2011.02.15 Suspicious file
PCTools 7.0.3.5 2011.02.16 –
Prevx 3.0 2011.02.16 Medium Risk Malware
Rising 23.45.01.06 2011.02.15 –
Sophos 4.61.0 2011.02.16 Mal/FakeAV-IK
SUPERAntiSpyware 4.40.0.1006 2011.02.16 Trojan.Agent/Gen-FakeSecurity
Symantec 20101.3.0.103 2011.02.16 –
TheHacker 6.7.0.1.131 2011.02.15 –
TrendMicro 9.200.0.1012 2011.02.16 –
TrendMicro-HouseCall 9.200.0.1012 2011.02.15 –
VBA32 3.12.14.3 2011.02.15 –
VIPRE 8436 2011.02.16 Trojan.Win32.Generic.pak!cobra
ViRobot 2011.2.16.4312 2011.02.16 –
VirusBuster 13.6.202.1 2011.02.15 –
Additional informationShow all
MD5   : 33d142fd2cb05cd5e7f04d4a3304b2bd
SHA1  : bd53d8539915a620f817500651961eb3b80b6341

File size : 381440 bytes

publisher….: WISC
copyright….: (c) WISC 2006-2011
product……: WISC
description..: WISC
original name: WISC
internal name: WISC
file version.: 414.471.741.417

y la DLL de los avisos:

File name: NsGqIajvUa.dll.vir
Submission date: 2011-02-16 08:11:12 (UTC)

Result: 13/ 43 (30.2%)
VT Community

not reviewed
Safety score: –
Compact Print results Antivirus Version Last Update Result
AhnLab-V3 2011.02.14.02 2011.02.14 Trojan/Win32.FakeAV
AntiVir 7.11.3.93 2011.02.15 TR/Crypt.XPACK.Gen2
Antiy-AVL 2.0.3.7 2011.02.15 –
Avast 4.8.1351.0 2011.02.16 –
Avast5 5.0.677.0 2011.02.16 Win32:FakeSysdef-CS
AVG 10.0.0.1190 2011.02.16 –
BitDefender 7.2 2011.02.16 –
CAT-QuickHeal 11.00 2011.02.16 –
ClamAV 0.96.4.0 2011.02.16 –
Commtouch 5.2.11.5 2011.02.16 –
Comodo 7705 2011.02.16 –
DrWeb 5.0.2.03300 2011.02.16 –
Emsisoft 5.1.0.2 2011.02.16 Trojan.Crypt!IK
eSafe 7.0.17.0 2011.02.15 –
eTrust-Vet 36.1.8161 2011.02.15 –
F-Prot 4.6.2.117 2011.02.15 –
F-Secure 9.0.16160.0 2011.02.16 –
Fortinet 4.2.254.0 2011.02.16 –
GData 21 2011.02.16 –
Ikarus T3.1.1.97.0 2011.02.16 Trojan.Crypt
Jiangmin 13.0.900 2011.02.16 –
K7AntiVirus 9.85.3859 2011.02.15 –
Kaspersky 7.0.0.125 2011.02.16 –
McAfee 5.400.0.1158 2011.02.16 Generic FakeAlert!mr
McAfee-GW-Edition 2010.1C 2011.02.16 Artemis!35435136E1B1
Microsoft 1.6502 2011.02.16 Trojan:Win32/FakeSysdef
NOD32 5878 2011.02.15 a variant of Win32/Kryptik.KRP
Norman 6.07.03 2011.02.15 –
nProtect 2011-02-10.01 2011.02.15 –
Panda 10.0.3.5 2011.02.15 –
PCTools 7.0.3.5 2011.02.16 –
Prevx 3.0 2011.02.16 Medium Risk Malware
Rising 23.45.01.06 2011.02.15 –
Sophos 4.61.0 2011.02.16 Mal/FakeAV-IK
SUPERAntiSpyware 4.40.0.1006 2011.02.16 Trojan.Agent/Gen-FraudWare
Symantec 20101.3.0.103 2011.02.16 –
TheHacker 6.7.0.1.131 2011.02.15 –
TrendMicro 9.200.0.1012 2011.02.16 –
TrendMicro-HouseCall 9.200.0.1012 2011.02.15 –
VBA32 3.12.14.3 2011.02.15 –
VIPRE 8436 2011.02.16 Trojan.Win32.Generic!BT
ViRobot 2011.2.16.4312 2011.02.16 –
VirusBuster 13.6.202.1 2011.02.15 –
Additional informationShow all
MD5   : 35435136e1b1503d2bd449556593d906
SHA1  : ce1ca9ab87921f9811e327c8f5178fbefb141ea6

File size : 429568 bytes

publisher….: imgs
copyright….: (c) imgs software
product……: imgs
description..: imgs
original name: imgs
internal name: imgs
file version.: 10.414.468.475

Como se ve, aun en el preanalisis del dropper, que es en el que se mas AV lo detectan, aun no lo controlan algunos conocidos como
eSafe 7.0.17.0 2011.02.15 –
eTrust-Vet 36.1.8161 2011.02.15 –
F-Prot 4.6.2.117 2011.02.15 –
Fortinet 4.2.254.0 2011.02.16 –
Norman 6.07.03 2011.02.15 –
Panda 10.0.3.5 2011.02.15 –
Symantec 20101.3.0.103 2011.02.16 –
TrendMicro 9.200.0.1012 2011.02.16 –

Tanto del dropper como el Scanner son lanzados en cada reinicio por sendas claves de registro, y el dropper es el que lanza a su vez la DLL incordiante.

La versión del ELISTARA 22.62 que controla y elimina los tres componentes, estará disponible en nuestra web a partir de las 19 horas de hoy

saludos

ms,16-2-2011