Nueva variante polimorfica del VBNA que descarga varios ficheros diferentes aun poco controlados por los AV actuales (solo 4 de 43)
La madre de los actuales Buzus, Proxy EXI, Sirefef, SIMDA, etc es el worm VBNA, que descarga ficheros con nombres picaros p.ej. Porn.exe,Secret.exe (con icono de carpeta), Sexy.exe, como estos últimos recibidos que pasamos a analizar.
Todos ello los pasamos a controlar a partir del ELIVBNA 2.38 de hoy
El preanalisis de virustotal ofrece estos informes:
File name: Porn.exe
Submission date: 2012-01-10 11:57:13 (UTC)
Result: 4/ 43 (9.3%)
VT Community
not reviewed
Safety score: –
Compact Print results Antivirus Version Last Update Result
AhnLab-V3 2012.01.10.00 2012.01.10 –
AntiVir 7.11.20.221 2012.01.10 –
Antiy-AVL 2.0.3.7 2012.01.10 –
Avast 6.0.1289.0 2012.01.10 –
AVG 10.0.0.1190 2012.01.10 –
BitDefender 7.2 2012.01.10 –
ByteHero 1.0.0.1 2011.12.31 –
CAT-QuickHeal 12.00 2012.01.10 –
ClamAV 0.97.3.0 2012.01.10 –
Commtouch 5.3.2.6 2012.01.10 –
Comodo 11233 2012.01.10 –
DrWeb 5.0.2.03300 2012.01.10 Trojan.VbCrypt.81
Emsisoft 5.1.0.11 2012.01.10 –
eSafe 7.0.17.0 2012.01.09 –
eTrust-Vet None 2012.01.10 –
F-Prot 4.6.5.141 2012.01.09 –
F-Secure 9.0.16440.0 2012.01.10 –
Fortinet 4.3.388.0 2012.01.10 –
GData 22.342/22.636 2012.01.10 –
Ikarus T3.1.1.109.0 2012.01.10 –
Jiangmin 13.0.900 2012.01.09 –
K7AntiVirus 9.124.5897 2012.01.09 –
Kaspersky 9.0.0.837 2012.01.10 Trojan.Win32.Diple.eiol
McAfee 5.400.0.1158 2012.01.10 –
McAfee-GW-Edition 2010.1E 2012.01.10 –
Microsoft 1.7903 2012.01.10 –
NOD32 6781 2012.01.10 a variant of Win32/AutoRun.VB.AQN
Norman 6.07.13 2012.01.09 –
nProtect 2012-01-10.01 2012.01.10 –
Panda 10.0.3.5 2012.01.09 –
PCTools 8.0.0.5 2012.01.10 –
Prevx 3.0 2012.01.10 –
Rising 23.92.01.02 2012.01.10 –
Sophos 4.73.0 2012.01.10 Mal/SillyFDC-U
SUPERAntiSpyware 4.40.0.1006 2012.01.10 –
Symantec 20111.2.0.82 2012.01.10 –
TheHacker 6.7.0.1.375 2012.01.10 –
TrendMicro 9.500.0.1008 2012.01.10 –
TrendMicro-HouseCall 9.500.0.1008 2012.01.10 –
VBA32 3.12.16.4 2012.01.10 –
VIPRE 11378 2012.01.10 –
ViRobot 2012.1.10.4873 2012.01.10 –
VirusBuster 14.1.158.1 2012.01.09 –
Additional informationShow all
MD5 : c9f99a521e8e24f19fc256d4dc67f8ce
SHA1 : bc758fc5b611e345ea4347c9797281bdcbbbce88
File size : 286720 bytes
copyright….: n/a
product……: lWPbqffO
description..: n/a
original name: Ahkncnhu.exe
internal name: Ahkncnhu
file version.: 1.00
_________
File name: Secret.exe
Submission date: 2012-01-10 12:00:59 (UTC)
Result: 4/ 43 (9.3%)
VT Community
malware
Safety score: 0.0%
Compact Print results Antivirus Version Last Update Result
AhnLab-V3 2012.01.10.00 2012.01.10 –
AntiVir 7.11.20.221 2012.01.10 –
Antiy-AVL 2.0.3.7 2012.01.10 –
Avast 6.0.1289.0 2012.01.10 –
AVG 10.0.0.1190 2012.01.10 –
BitDefender 7.2 2012.01.10 –
ByteHero 1.0.0.1 2011.12.31 –
CAT-QuickHeal 12.00 2012.01.10 –
ClamAV 0.97.3.0 2012.01.10 –
Commtouch 5.3.2.6 2012.01.10 –
Comodo 11233 2012.01.10 –
DrWeb 5.0.2.03300 2012.01.10 Trojan.VbCrypt.81
Emsisoft 5.1.0.11 2012.01.10 –
eSafe 7.0.17.0 2012.01.09 –
eTrust-Vet 37.0.9673 2012.01.10 –
F-Prot 4.6.5.141 2012.01.09 –
F-Secure 9.0.16440.0 2012.01.10 –
Fortinet 4.3.388.0 2012.01.10 –
GData 22 2012.01.10 –
Ikarus T3.1.1.109.0 2012.01.10 –
Jiangmin 13.0.900 2012.01.09 –
K7AntiVirus 9.124.5897 2012.01.09 –
Kaspersky 9.0.0.837 2012.01.10 Trojan.Win32.Diple.eiol
McAfee 5.400.0.1158 2012.01.10 –
McAfee-GW-Edition 2010.1E 2012.01.10 –
Microsoft 1.7903 2012.01.10 –
NOD32 6781 2012.01.10 a variant of Win32/AutoRun.VB.AQN
Norman 6.07.13 2012.01.09 –
nProtect 2012-01-10.01 2012.01.10 –
Panda 10.0.3.5 2012.01.09 –
PCTools 8.0.0.5 2012.01.10 –
Prevx 3.0 2012.01.10 –
Rising 23.92.01.02 2012.01.10 –
Sophos 4.73.0 2012.01.10 Mal/SillyFDC-U
SUPERAntiSpyware 4.40.0.1006 2012.01.10 –
Symantec 20111.2.0.82 2012.01.10 –
TheHacker 6.7.0.1.375 2012.01.10 –
TrendMicro 9.500.0.1008 2012.01.10 –
TrendMicro-HouseCall 9.500.0.1008 2012.01.10 –
VBA32 3.12.16.4 2012.01.10 –
VIPRE 11378 2012.01.10 –
ViRobot 2012.1.10.4873 2012.01.10 –
VirusBuster 14.1.158.1 2012.01.09 –
File size : 286720 bytes
copyright….: n/a
product……: GfDrGjYQ
description..: n/a
original name: nLbHqIHM.exe
internal name: nLbHqIHM
file version.: 1.00
________
File name: Sexy.exe
Submission date: 2012-01-10 12:03:53 (UTC)
Result: 4/ 43 (9.3%)
VT Community
not reviewed
Safety score: –
Compact Print results Antivirus Version Last Update Result
AhnLab-V3 2012.01.10.00 2012.01.10 –
AntiVir 7.11.20.221 2012.01.10 –
Antiy-AVL 2.0.3.7 2012.01.10 –
Avast 6.0.1289.0 2012.01.10 –
AVG 10.0.0.1190 2012.01.10 –
BitDefender 7.2 2012.01.10 –
ByteHero 1.0.0.1 2011.12.31 –
CAT-QuickHeal 12.00 2012.01.10 –
ClamAV 0.97.3.0 2012.01.10 –
Commtouch 5.3.2.6 2012.01.10 –
Comodo 11233 2012.01.10 –
DrWeb 5.0.2.03300 2012.01.10 Trojan.VbCrypt.81
Emsisoft 5.1.0.11 2012.01.10 –
eSafe 7.0.17.0 2012.01.09 –
eTrust-Vet 37.0.9673 2012.01.10 –
F-Prot 4.6.5.141 2012.01.09 –
F-Secure 9.0.16440.0 2012.01.10 –
Fortinet 4.3.388.0 2012.01.10 –
GData 22 2012.01.10 –
Ikarus T3.1.1.109.0 2012.01.10 –
Jiangmin 13.0.900 2012.01.09 –
K7AntiVirus 9.124.5897 2012.01.09 –
Kaspersky 9.0.0.837 2012.01.10 Trojan.Win32.Diple.eiol
McAfee 5.400.0.1158 2012.01.10 –
McAfee-GW-Edition 2010.1E 2012.01.10 –
Microsoft 1.7903 2012.01.10 –
NOD32 6781 2012.01.10 a variant of Win32/AutoRun.VB.AQN
Norman 6.07.13 2012.01.09 –
nProtect 2012-01-10.01 2012.01.10 –
Panda 10.0.3.5 2012.01.09 –
PCTools 8.0.0.5 2012.01.10 –
Prevx 3.0 2012.01.10 –
Rising 23.92.01.02 2012.01.10 –
Sophos 4.73.0 2012.01.10 Mal/SillyFDC-U
SUPERAntiSpyware 4.40.0.1006 2012.01.10 –
Symantec 20111.2.0.82 2012.01.10 –
TheHacker 6.7.0.1.375 2012.01.10 –
TrendMicro 9.500.0.1008 2012.01.10 –
TrendMicro-HouseCall 9.500.0.1008 2012.01.10 –
VBA32 3.12.16.4 2012.01.10 –
VIPRE 11378 2012.01.10 –
ViRobot 2012.1.10.4873 2012.01.10 –
VirusBuster 14.1.158.1 2012.01.09 –
Additional informationShow all
MD5 : 619d31c235f5b46bd650e460792cd373
SHA1 : e7d9e2b5197e69edfc8edfbcd55d8de068158b35
File size : 286720 bytes
publisher….: n/a
copyright….: n/a
product……: UevYKkgo
description..: n/a
original name: IBQHsPnI.exe
internal name: IBQHsPnI
file version.: 1.00
______
Dicha version del ELIVBNA 2.38 que los detecta y elimina, estará disponible en nuestra web a partir de las 19 h CEST de hoy
saludos
ms, 10-1-2012
NOTA: Justamente estos tres ficheros descargan variantes de BUZUS que analizaremos a continuacion
ms.
NOTA: Los interesados en información sobre contrato de soporte Asistencia Tecnica de SATINFO y/o licencia de uso/actualizaciones de sus utilidades, contacten con info@satinfo.es
__________
Este blog no se hace responsable de las opiniones y comentarios de los textos en los que se cita la Fuente, ofreciendo su contenido solo para facilitar el acceso a la información del mismo.
Puedes seguir cualquier respuesta a esta entrada mediante el canal RSS 2.0. Los comentarios y los pings están cerrados.
Los comentarios están cerrados.