A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #1308  by Jaxryley
 Mon Jun 21, 2010 12:54 pm
hxxp://ad.ghura.pl/dm.exe
dm.exe - Result: 3/41 (7.32%) - Trojan.Win32.Alureon.h (v)
http://www.virustotal.com/analisis/900f ... 1277123868

BSA:
Detailed report of suspicious malware actions:

Defined file type created: C:\Users\Administrator\AppData\Desktop\dm.exe
Detected backdoor listening on port: 0
Detected process privilege elevation
Internet connection: C:\Program Files\Mozilla Firefox\firefox.exe Connects to "202.104.237.103" on port 80 (TCP - HTTP).
Internet connection: C:\Program Files\Mozilla Firefox\firefox.exe Connects to "74.53.201.162" on port 80 (TCP - HTTP).
Listed all entry names in a remote access phone book
Opened a service named: rasman
Opened a service named: Sens
Opened a service named: spooler
Query DNS: li1i16b0.com

Risk evaluation result: High
Pass:
infected

(81.81 KiB) Downloaded 71 times
 #1340  by EP_X0FF
 Sat Jun 26, 2010 1:02 pm
I've tested their SysInspector not so long time ago and it was absolutely unable detect TDL3 presence.

edit: retested - still unable to detect.

p.s.
First page updated to include links for newly posted articles.
 #1341  by nullptr
 Sat Jun 26, 2010 3:19 pm
bytejammer wrote: Does this mean that NOD32 is now able to detect and remove TDL3?
Like most AVs, signature detection but useless as far as removal.
 #1351  by EP_X0FF
 Mon Jun 28, 2010 3:04 pm
Fist page updated to include F-Secure article.

Thanks.
  • 1
  • 17
  • 18
  • 19
  • 20
  • 21
  • 40