System Security: new rogue application

Posted: December 30th, 2008 | Tags: , , |

systemsecuritySystem Security is new rogue software. The installer is hosted at http://webnetworksecurity.com (91.211.64.31).

Virustotal report

File install.exe received on 12.26.2008 17:06:39 (CET)
Current status: finished
Result: 9/39 (23.08%)

Antivirus Version Last Update Result
a-squared 4.0.0.73 2008.12.26 Trojan-Downloader.Win32.Delf!IK
AhnLab-V3 2008.12.25.0 2008.12.26 -
AntiVir 7.9.0.45 2008.12.25 -
Authentium 5.1.0.4 2008.12.25 -
Avast 4.8.1281.0 2008.12.26 -
AVG 8.0.0.199 2008.12.26 Downloader.Generic8.JEE
BitDefender 7.2 2008.12.26 -
CAT-QuickHeal 10.00 2008.12.26 -
ClamAV 0.94.1 2008.12.26 -
Comodo 819 2008.12.26 -
DrWeb 4.44.0.09170 2008.12.26 Trojan.DownLoad.26371
eSafe 7.0.17.0 2008.12.24 Suspicious File
eTrust-Vet 31.6.6276 2008.12.24 -
Ewido 4.0 2008.12.26 -
F-Prot 4.4.4.56 2008.12.24 -
F-Secure 8.0.14332.0 2008.12.26 -
Fortinet 3.117.0.0 2008.12.26 -
GData 19 2008.12.26 -
Ikarus T3.1.1.45.0 2008.12.26 Trojan-Downloader.Win32.Delf
K7AntiVirus 7.10.567 2008.12.26 -
Kaspersky 7.0.0.125 2008.12.26 -
McAfee 5474 2008.12.24 -
McAfee+Artemis 5474 2008.12.24 -
Microsoft 1.4205 2008.12.26 -
NOD32 3718 2008.12.26 -
Norman 5.80.02 2008.12.26 -
Panda 9.0.0.4 2008.12.26 Suspicious file
PCTools 4.4.2.0 2008.12.26 -
Prevx1 V2 2008.12.26 Malicious Software
Rising 21.09.42.00 2008.12.26 -
SecureWeb-Gateway 6.7.6 2008.12.25 -
Sophos 4.37.0 2008.12.26 -
Sunbelt 3.2.1809.2 2008.12.22 -
Symantec 10 2008.12.26 AntiVirus2008
TheHacker 6.3.1.4.199 2008.12.23 -
TrendMicro 8.700.0.1004 2008.12.26 PAK_Generic.001
VBA32 3.12.8.10 2008.12.25 -
ViRobot 2008.12.26.1536 2008.12.26 -
VirusBuster 4.5.11.0 2008.12.26 -
Additional information
File size: 62507 bytes
MD5…: 837ad70f5f31d73c8162c6368e36b931
SHA1..: 64bc9f15425296fce5287896fce43d0fd7f5e730
SHA256: 11c4fb6e09459f47fdda772813d538fd87e42bfeba42722210dee169745009c7
SHA512: d71df45e6882660d90460469f503000bbad49b8a2e74bf8ce5ac38df8d391704
aa9f3fa2e7374de9dd17917ab1ec0f655517c4aff3d42acc1ed25f146e24abf9
ssdeep: 1536:a3qCkxP2N3tN2+m2MWlVryZNhlBWWICK/1nouy8AEY5qnXn:a3qDPCnMWbr
QhHWlx/toutALInXn
PEiD..: -
TrID..: File type identification
UPX compressed Win32 Executable (38.5%)
Win32 EXE Yoda’s Crypter (33.4%)
Win32 Executable Generic (10.7%)
Win32 Dynamic Link Library (generic) (9.5%)
Win16/32 Executable Delphi generic (2.6%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0×427620
timedatestamp…..: 0×49539d7d (Thu Dec 25 14:49:33 2008)
machinetype…….: 0×14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0×1000 0×1a000 0×0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0×1b000 0xe000 0xd200 7.98 385b94b61c7ced60dbb98325561dec8d
.rsrc 0×29000 0×2000 0×1e00 5.04 fc5aa48f7f65f153c91fd2b9ed4c154b

( 7 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
> advapi32.dll: RegCloseKey
> comctl32.dll: ImageList_Draw
> gdi32.dll: SaveDC
> oleaut32.dll: SysFreeString
> user32.dll: GetDC
> wininet.dll: InternetOpenW

( 0 exports )

Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=EB62194D2BE0752CF45B00F8ABE8AB005081DA2F
packers (F-Prot): UPX_LZMA
packers (Kaspersky): UPX

Related posts

Leave a Reply