| View previous topic :: View next topic |
| Author |
Message |
Thunder
1st Responder
Joined: Feb 01, 2006
Posts: 97
|
 Posted: Tue Mar 20, 2007 10:15 am Post subject: ivevergp.exe |
|
|
ivevergp.exe
VirusTotal :
Complete scanning result of "ivevergp.exe", received in VirusTotal at 03.20.2007, 11:08:55 (CET).
Antivirus Version Update Result
AhnLab-V3 2007.3.20.1 03.20.2007 no virus found
AntiVir 7.3.1.43 03.20.2007 TR/Crypt.XPACK.Gen
Authentium 4.93.8 03.20.2007 no virus found
Avast 4.7.936.0 03.19.2007 no virus found
AVG 7.5.0.447 03.20.2007 no virus found
BitDefender 7.2 03.20.2007 Trojan.Obfus.Gen
CAT-QuickHeal 9.00 03.20.2007 (Suspicious) - DNAScan
ClamAV devel-20070312 03.20.2007 no virus found
DrWeb 4.33 03.20.2007 Trojan.DownLoader.based
eSafe 7.0.14.0 03.19.2007 Win32.Polipos.sus
eTrust-Vet 30.6.3494 03.20.2007 no virus found
Ewido 4.0 03.19.2007 no virus found
FileAdvisor 1 03.20.2007 no virus found
Fortinet 2.85.0.0 03.20.2007 suspicious
F-Prot 4.3.1.45 03.19.2007 no virus found
F-Secure 6.70.13030.0 03.20.2007 Trojan.Win32.Obfuscated.ev
Ikarus T3.1.1.3 03.20.2007 Trojan-Downloader.Win32.Busky
Kaspersky 4.0.2.24 03.20.2007 Trojan.Win32.Obfuscated.ev
McAfee 4987 03.19.2007 Downloader-AXI
Microsoft 1.2306 03.20.2007 no virus found
NOD32v2 2128 03.19.2007 no virus found
Norman 5.80.02 03.19.2007 no virus found
Panda 9.0.0.4 03.20.2007 no virus found
Prevx1 V2 03.20.2007 no virus found
Sophos 4.15.0 03.13.2007 no virus found
Sunbelt 2.2.907.0 03.16.2007 VIPRE.Suspicious
Symantec 10 03.20.2007 no virus found
TheHacker 6.1.6.078 03.20.2007 no virus found
UNA 1.83 03.16.2007 no virus found
VBA32 3.11.2 03.19.2007 suspected of Trojan-Downloader.Obfuscated.3 (paranoid heuristics)
VirusBuster 4.3.7:9 03.19.2007 Trojan.DL.Obfusc.Gen.6
Aditional Information
File size: 53760 bytes
MD5: fa075a3a31049afbe49f34fcf56de381
SHA1: 9ce39aa13fb4cea72230115f9ad55d3c95c07488
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.
Jotti :
File: ivevergp.exe
Status: INFECTED/MALWARE
MD5 fa075a3a31049afbe49f34fcf56de381
Packers detected: -
Scanner results
Scan taken on 20 Mar 2007 09:58:04 (GMT)
AntiVir Found TR/Crypt.XPACK.Gen
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Trojan.Obfus.Gen
ClamAV Found nothing
Dr.Web Found Trojan.DownLoader.based
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Trojan.Win32.Obfuscated.ev
Fortinet Found nothing
Kaspersky Anti-Virus Found Trojan.Win32.Obfuscated.ev
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
VirusBuster Found Trojan.DL.Obfusc.Gen.6
VBA32 Found Trojan-Downloader.Obfuscated.3 (paranoid heuristics) (probable variant)
link: http://www.hijackthis.nl/forum/viewtopic.php?t=7526
_________________
-----------------------------------------------------------------
Whatever happens, make believe it was intended to ...
|
|
| Back to top |
|
 |
nosirrah
Security Expert
Special Response Team
Joined: Apr 19, 2006
Posts: 6301
Location: USA
|
| Posted: Tue Mar 20, 2007 11:56 am Post subject: |
|
|
This is the downloader for ultimate cleaner 2007 (rogue app) .
I am looking for additional malware .
|
|
| Back to top |
|
|
nosirrah
Security Expert
Special Response Team
Joined: Apr 19, 2006
Posts: 6301
Location: USA
|
| Posted: Tue Mar 20, 2007 12:39 pm Post subject: |
|
|
This thing drops a huge pile of @#%$ .
You can delete this entirer folder :
C:\WINDOWS\system32\pntadmhv
It may be randomly named but should be the last folder created in the system32 directory .
I also found all of these lurking in system32 :
asdjhweq.exe
ivevergp.exe
rurexexo.exe
sttool32.exe
fprlnci.dll
LCusLaZ8.dll
out.dll
All of them have positive hits at VT .
|
|
| Back to top |
|
|
nosirrah
Security Expert
Special Response Team
Joined: Apr 19, 2006
Posts: 6301
Location: USA
|
| Posted: Tue Mar 20, 2007 1:05 pm Post subject: |
|
|
One more .
C:\Documents and Settings\*user name*\Local Settings\Application Data\fprlnci.dll
Looks randomly named .
|
|
| Back to top |
|
|
Thunder
1st Responder
Joined: Feb 01, 2006
Posts: 97
|
| Posted: Tue Mar 20, 2007 1:06 pm Post subject: |
|
|
Thanks nosirrah,
I'll have a look what ComboFix turns up. 
Btw. I provided a wrong link (and can't edit)
this is the right one : http://www.hijackthis.nl/forum/viewtopic.php?t=7778
_________________
-----------------------------------------------------------------
Whatever happens, make believe it was intended to ...
|
|
| Back to top |
|
|
nosirrah
Security Expert
Special Response Team
Joined: Apr 19, 2006
Posts: 6301
Location: USA
|
| Posted: Tue Mar 20, 2007 1:16 pm Post subject: |
|
|
It just keeps coming .
Look for 4 new folders created the the programs files folder .
|
|
| Back to top |
|
|
nosirrah
Security Expert
Special Response Team
Joined: Apr 19, 2006
Posts: 6301
Location: USA
|
| Posted: Tue Mar 20, 2007 2:11 pm Post subject: |
|
|
| nosirrah wrote: | It just keeps coming .
Look for 4 new folders created the the programs files folder . |
These look like planted file to be captured during the fake scan .
"hey look , he just found malware that we planted in your system , now give us money to remove it"
I am going to start over with this infection and give a full report .
|
|
| Back to top |
|
|
nosirrah
Security Expert
Special Response Team
Joined: Apr 19, 2006
Posts: 6301
Location: USA
|
| Posted: Tue Mar 20, 2007 2:47 pm Post subject: |
|
|
They may have pulled the plug on this . I can't get the infection to take this time .
|
|
| Back to top |
|
|
Thunder
1st Responder
Joined: Feb 01, 2006
Posts: 97
|
|
| Back to top |
|
|
nosirrah
Security Expert
Special Response Team
Joined: Apr 19, 2006
Posts: 6301
Location: USA
|
| Posted: Tue Mar 20, 2007 10:23 pm Post subject: |
|
|
| Quote: | | Would you be interested in something from the OTMoved folder ? |
Yes , what I was looking at earlier was not well detected .
Zip and attach anything that I did not mention earlier .
Thanks again for this sample .
|
|
| Back to top |
|
|
Thunder
1st Responder
Joined: Feb 01, 2006
Posts: 97
|
| Posted: Wed Mar 21, 2007 8:21 am Post subject: |
|
|
Attached
_________________
-----------------------------------------------------------------
Whatever happens, make believe it was intended to ...
|
|
| Back to top |
|
|
nosirrah
Security Expert
Special Response Team
Joined: Apr 19, 2006
Posts: 6301
Location: USA
|
| Posted: Wed Mar 21, 2007 12:14 pm Post subject: |
|
|
Thanks again , there a lot of new pests in there . 
|
|
| Back to top |
|
|
himm77
Currently banned
Cadet
Joined: Apr 24, 2007
Posts: 1
Location: Germany
|
| Posted: Tue Apr 24, 2007 8:44 am Post subject: |
|
|
MOD EDIT
SPAM REMOVED
|
|
| Back to top |
|
|
nosirrah
Security Expert
Special Response Team
Joined: Apr 19, 2006
Posts: 6301
Location: USA
|
| Posted: Tue Apr 24, 2007 11:55 am Post subject: |
|
|
Do NOT visit any of these sites but do add them to your block list and/or hosts file .
http://www.all4smokers.net
http://www.all-cigarettes-brands.com
http://www.all-drugs-online.com
http://www.best-buy-cigarettes.com
http://www.buy-euro-cigarettes.com
http://www.cheap-cigarettes-brands.com
http://www.cigarettes-blog.com
http://www.cigarettes-market.com
http://www.cigbrand.com
http://www.discount-euro-cigarettes.com
http://www.fitnessmed.net
http://www.marlboro4sale.net
http://www.medoutlet.net
http://www.medoutlet.net
http://www.on-line-cigarettes.com
http://www.pharmasport.orgine,
http://www.pharmawholesaler.com
http://www.salecigarettesonline.com
http://www.shop-cigarette.com
http://www.shop-smoke.com
http://www.smoke4sale.com
http://www.smoke-discount-cigarettes.com
http://www.smoker-heaven.com
http://www.smokingbrands4sale.com,
http://www.the-cheapest-cigarettes.com
http://www.topcigarettesonline.com
http://www.topcigshop.com
http://www.viagra-vitamins.com
Thank you spammer .
|
|
| Back to top |
|
|
bydoktor
Cadet
Joined: Aug 28, 2008
Posts: 1
Location: Turkey
|
|
| Back to top |
|
|
|
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
