Here is a screenshot of the message spreading:
The real URL is being displayed in the status bar.
I personaly used DynDNS some time ago... anyway.
This malware did trigger an alert from:
- Kaspersky
- IE 9 Smart screen filter
But the thing is, Kaspersky was talking about an EXE packer/wrapper. That drew my attention.
So, here we are, let's have a look at the file:
So, yeah, the file is being protected by PKLite32 v1.1!
That's what KAV was saying, allright. But, to me, it is not because a file is being protected or obfuscated by a specific technology, that this file is a malware for sure...
More details to come, I'm investigating that in deep...
BTW, here are the full VT's results
(see https://www.virustotal.com/file-scan/report.html?id=48a93a6d8384c58d07285826a00ff3e8c553676903e59e1273316b32c4dc9af3-1311421202# ):
| Antivirus | Version | Last update | Result |
|---|---|---|---|
| AhnLab-V3 | 2011.07.23.00 | 2011.07.22 | Packed/Win32.Morphine |
| AntiVir | 7.11.12.64 | 2011.07.22 | TR/Spy.Banker.253440.3 |
| Antiy-AVL | 2.0.3.7 | 2011.07.23 | - |
| Avast | 4.8.1351.0 | 2011.07.23 | Win32:Rootkit-gen [Rtk] |
| Avast5 | 5.0.677.0 | 2011.07.23 | Win32:Rootkit-gen [Rtk] |
| AVG | 10.0.0.1190 | 2011.07.23 | PSW.Banker6.AFP |
| BitDefender | 7.2 | 2011.07.23 | Trojan.Generic.6346484 |
| CAT-QuickHeal | 11.00 | 2011.07.23 | - |
| ClamAV | 0.97.0.0 | 2011.07.23 | - |
| Commtouch | 5.3.2.6 | 2011.07.23 | W32/Infostealer.A!Maximus |
| Comodo | 9476 | 2011.07.23 | TrojWare.Win32.TrojanDownloader.Dadobra.~JN12 |
| DrWeb | 5.0.2.03300 | 2011.07.23 | Trojan.DownLoader4.18737 |
| Emsisoft | 5.1.0.8 | 2011.07.23 | Gen.Trojan.TaskDisabler!IK |
| eSafe | 7.0.17.0 | 2011.07.21 | - |
| eTrust-Vet | 36.1.8459 | 2011.07.22 | - |
| F-Prot | 4.6.2.117 | 2011.07.22 | W32/Infostealer.A!Maximus |
| F-Secure | 9.0.16440.0 | 2011.07.23 | Trojan.Generic.6346484 |
| Fortinet | 4.2.257.0 | 2011.07.23 | - |
| GData | 22 | 2011.07.23 | Trojan.Generic.6346484 |
| Ikarus | T3.1.1.104.0 | 2011.07.23 | Gen.Trojan.TaskDisabler |
| Jiangmin | 13.0.900 | 2011.07.22 | Trojan/Hosts2.bd |
| K7AntiVirus | 9.108.4937 | 2011.07.22 | Trojan |
| Kaspersky | 9.0.0.837 | 2011.07.23 | Trojan.Win32.Hosts2.gen |
| McAfee | 5.400.0.1158 | 2011.07.23 | Generic.dx!babe |
| McAfee-GW-Edition | 2010.1D | 2011.07.23 | Generic.dx!babe |
| Microsoft | 1.7104 | 2011.07.23 | Trojan:Win32/Comrerop |
| NOD32 | 6317 | 2011.07.23 | Win32/Qhost.Banker.JE |
| Norman | 6.07.10 | 2011.07.22 | W32/Suspicious_Gen2.NQJPD |
| nProtect | 2011-07-23.01 | 2011.07.23 | Generic.Banker.Delf.1F2FDCDB |
| Panda | 10.0.3.5 | 2011.07.22 | - |
| PCTools | 8.0.0.5 | 2011.07.23 | Spyware.Keylogger!rem |
| Prevx | 3.0 | 2011.07.23 | - |
| Rising | 23.67.04.03 | 2011.07.22 | - |
| Sophos | 4.67.0 | 2011.07.23 | Mal/Behav-180 |
| SUPERAntiSpyware | 4.40.0.1006 | 2011.07.23 | - |
| Symantec | 20111.1.0.186 | 2011.07.23 | Spyware.Keylogger |
| TheHacker | 6.7.0.1.260 | 2011.07.22 | - |
| TrendMicro | 9.200.0.1012 | 2011.07.23 | TROJ_COMREROP.AA |
| TrendMicro-HouseCall | 9.200.0.1012 | 2011.07.23 | TROJ_COMREROP.AA |
| VBA32 | 3.12.16.4 | 2011.07.22 | suspected of Unknown.Win32Virus |
| VIPRE | 9939 | 2011.07.23 | Trojan.Win32.Generic!BT |
| ViRobot | 2011.7.23.4585 | 2011.07.23 | - |
| VirusBuster | 14.0.134.1 | 2011.07.22 | - |
| MD5: bcd76d2daa826d9737e2d63025ed03fc |
| SHA1: 8925af7ea3dba240087049ee3a2017b734d98264 |
| SHA256: 48a93a6d8384c58d07285826a00ff3e8c553676903e59e1273316b32c4dc9af3 |
| File size: 253440 bytes |
| Scan date: 2011-07-23 11:40:02 (UTC) |
As we can see, generic/heuristic/genotype signature technologies tend to prove their efficiency.
ThreatExpert does confirm Kaspersky detects PkLite32 compression: http://www.threatexpert.com/report.aspx?md5=bcd76d2daa826d9737e2d63025ed03fc
More to come...
