And 45 days after I sent the worm to AVAST

FromTheRafters · External Since: Feb 16, 2009 Posts: 26

"Shadow" <Sh@dow> wrote in message
news:35v8955bk9q3gj37loeqnr1pq1349mj50m@4ax.com...

> I disabled my antivirus and I uploaded C:\Documents and
> Settings\nemesis\Meus documentos\qpqdcj.virus.exe.zip. I used pathcopy
> and pasted in the whole path. I don't follow your logic. It's exactly
> the same file I posted to virustotal. Try and see.
> The csrcs.exe file is what the virus becomes when it is
> loaded in memory. It is written with that name to system32 folder. On
> the pendrive it adopts at least 4 different names. The csrcs is a type
> of memory-resident thingy that writes to any pendrive introduced into
> the machine. It also tries to connect to the internet, messes around
> with some share (registry) permissions, alters the explorers shell
> command so you cannot see it in a browser, and dunno what else. The
> virus csrcs.exe (inside the zip) has an md5 of:
>
> 3DE68324891964BDD2227141474797BB
>
> and exactly 725.796 bytes.
>
> Ooops, was that dangerous ? I had to turn my AV off to give
> you that ....

Some on-access scanners will even alert when the file is accessed for
icon information for displaying in a filesystem browser. It is not
dangerous to open a file for other than execution, but if the AV scans
on "open" it will alert even though your action posed no real risk.

Shadow · External Since: Aug 19, 2009 Posts: 9

On Wed, 26 Aug 2009 06:08:41 -0400, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>From: "Shadow" <Sh@dow>
>The answer from VT...
>
>"Well, it seems that there's something weird, as besides Avast, GData also doesn't detect
>it here (using the Avast engine) so it could be a limitation of the command line scanner,
>or maybe they detect it with an AV feature I don't have here Confused

"

Uploaded oswnbi.tar.gz to your site. I just picked it up at
the local hospital. AVG is running , fully updated, on the machine I
got it from. This time I booted into linux, tar.gz the file and posted
that. So you can see what the autorun.inf looks like. Notice it has
changed name again.
Virustotal
http://www.virustotal.com/analisis/af8292fc53daeba7bd615d584af77c3d4d6...5a263ec
FWIW
Back to work .....

David H. Lipman · External Since: Jul 04, 2003 Posts: 2116

From: "Shadow" <Sh@dow>

| On Wed, 26 Aug 2009 06:08:41 -0400, "David H. Lipman"
| <DLipman~nospam~@Verizon.Net> wrote:

>>From: "Shadow" <Sh@dow>
>>The answer from VT...

>>"Well, it seems that there's something weird, as besides Avast, GData also doesn't
>>detect
>>it here (using the Avast engine) so it could be a limitation of the command line
>>scanner,
>>or maybe they detect it with an AV feature I don't have here Confused

"

| Uploaded oswnbi.tar.gz to your site. I just picked it up at
| the local hospital. AVG is running , fully updated, on the machine I
| got it from. This time I booted into linux, tar.gz the file and posted
| that. So you can see what the autorun.inf looks like. Notice it has
| changed name again.
| Virustotal
| http://www.virustotal.com/analisis/
| af8292fc53daeba7bd615d584af77c3d4d64925a263ec09c06ae34ace36e3bcc-1251300636
| FWIW
| Back to work .....

Got it, thanx !

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Shadow · External Since: Aug 19, 2009 Posts: 9

On Wed, 26 Aug 2009 16:39:09 -0400, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:
Sh@dow wrote:
>| Uploaded oswnbi.tar.gz to your site. I just picked it up at
>| the local hospital. AVG is running , fully updated, on the machine I
>| got it from. This time I booted into linux, tar.gz the file and posted
>| that. So you can see what the autorun.inf looks like. Notice it has
>| changed name again.
>| Virustotal
>| http://www.virustotal.com/analisis/
>| af8292fc53daeba7bd615d584af77c3d4d64925a263ec09c06ae34ace36e3bcc-1251300636
>| FWIW
>| Back to work .....
They (virustotal) deleted the link."Link has expired". WTF ?
The older links still work, for the virus I uploaded almost 2 months
ago. Today's link expired and a 2 month old one valid ?
[]'s
>
>Got it, thanx !

David H. Lipman · External Since: Jul 04, 2003 Posts: 2116

From: "Shadow" <Sh@dow>

| They (virustotal) deleted the link."Link has expired". WTF ?
| The older links still work, for the virus I uploaded almost 2 months
| ago. Today's link expired and a 2 month old one valid ?

http://www.virustotal.com/analisis/9903e8a905551f8581941ac53c654be3f2c...67ae871

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Shadow · External Since: Aug 19, 2009 Posts: 9

On Wed, 26 Aug 2009 19:49:46 -0400, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>From: "Shadow" <Sh@dow>
>
>
>| They (virustotal) deleted the link."Link has expired". WTF ?
>| The older links still work, for the virus I uploaded almost 2 months
>| ago. Today's link expired and a 2 month old one valid ?
>
>
>http://www.virustotal.com/analisis/9903e8a905551f8581941ac53c654be3f2cd8667ae871418dbeb6b5f5b6ff3b8-1251319071

Your file has expired or does not exists.

[]'s

David H. Lipman · External Since: Jul 04, 2003 Posts: 2116

From: "Shadow" <Sh@dow>

| On Wed, 26 Aug 2009 19:49:46 -0400, "David H. Lipman"
| <DLipman~nospam~@Verizon.Net> wrote:

>>From: "Shadow" <Sh@dow>

>>| They (virustotal) deleted the link."Link has expired". WTF ?
>>| The older links still work, for the virus I uploaded almost 2 months
>>| ago. Today's link expired and a 2 month old one valid ?

>>http://www.virustotal.com/analisis/
>>9903e8a905551f8581941ac53c654be3f2cd8667ae871418dbeb6b5f5b6ff3b8-1251319071

| Your file has expired or does not exists.

I'll have VT admins look into it.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp