28 May 2008

Trojan:Win32/Vundo.gen!I

Lavasoft Ad-Aware 2008 Updates today > Product Sucks!
Avira Updates today -> Product Sucks!
Normand Updates today -> Product Sucks!
BitDefender Updates today > Product Sucks!
Avast Updates today -> Found some files (incomplete, no remove)
Kaspersky Updates today -> Found nothing
NOD32 Updates today -> Found nothing

Above Antivirus Products are good in False Positive detection 30% but really Viruses detection %??? Sorry but there helps a 5 or 10 years License nothing if it doesn't protect or should it protect from using KeyGens? caused of missing unpacking features to scann exe and dll, ocx packed, protected archives thru, before showing to the user a False positive as a active real Virus but ("new" = relative old), 2 weeks maybe 1 year old viruses can not be found.
It's 2008 some Antivirus Programs still can not unpack and scan protected files done with exe/dll/... packer/protector.

Non of the above scanner do a full scan inside commercial exe and binaries packer such as Armadillo etc... because these packers are used in commercial software to protector from unpacking! The tollerance from AV firms seems to be high to skip deeper scanns inside Orleans Thermida, ASpack and co. anti hack, anti unpack packer/protectors as to see again and again, here a lot viruses inside Armadillo files.

By Freeware Packer such as Xcomp by JoKo, some AV's shown packed files as Virus - a clear false positive - signature, the imagebase have been done once with a packed infected file compressed using this packer and added to the positive virus database! All files will be shown as false positive if they are packed with XComp and do not contain any virus if the AV can not unpack it and just skip it with a note Virus found. Some may do this by all possible non commercial or not on open source based compressor/packer and cleans up the harddisk without any reassion. Lazy AV Firms does not make unpacking modules propperly to scan inside all exe, dll compressed files!!! > Customer Feedback only help to add a new founded possible Virus! I just know certain email scan modules I will never activate and any preseted auto submition. Maybe the whole software inventary list include ip identification ends by "some companie"s and I do not know what else they do with it. The storrage devices are my privacy not for any analytics marketting etc...
Setup makers like inno, nsis, 7zip based sfx, all kind of zip, rar, ace and co archives can be scanned but clean a file out from a archive or let it unpacked by scanning that the user get the option to rar, zip whatever pack it by self and pick only the infected file out before quarantaene, deleting the whole archive as the only option?

Windows Defender > found nothing

Microsoft Live OnCare > found Trojan:Win32/Vundo.gen!I


Distribution: Torrent sites / Tracker
Files: AntiVirus, AntiSpyware Cracks and downloads via Torrent and Filesharehoster
Sample: http://www.2oak.com/search?q=Adaware+2008+Pro+torrent
http://www.btmon.com/file/Lavasoft.Ad-Aware.2008.Pro.v7.1.0.8-MKDEV.TEAM.7z
http://www.onlytorrents.com/torrent/lavasoft-ad-aware-2008-pro-v7-1-0-8:2d926daaa3387507bc6a14adf748ee4e09a84a1c
http://www.mininova.org/det/1450481
Looks like every second torrent from there is infected: http://www.mininova.org/sub/22/added
Posible this is the same virus pack here as the user report in the comment, also on Fileshare hostern the same.

Bitdefender new cracks/KeyGens
Kaspersky black to whitelist patch/crack
Nod32 Patches

Ad-Aware Pro/Plus crack and Setup file:
1. aaw2008plus.exe, 16.70 MB (seen in sizes from 16 to 20 MB). 2. CRACK.MKDEV.TEAM/lavalicense.dll, 425.33 KB...
Lavasoft.Ad-Aware.2008.Pro.v7.1.0.8-MKDEV.TEAM\aaw2008plus.exe
with it's created Temp\IXP000.TMP\0000000002.exe
0000000001.exe 0000000002.exe
by running aaw2008plus.exe installer!

DVDFab 5.x + Crack .rar Vundo Generic


many more, just download and upload scan to virustotal.com
on torrent sites and Filesharehostern

Example: Entry Winlogon.exe via a infected dll call file efccCtrs.dll
PEiD..: Armadillo v1.xx - v2.xx
File 2: ssqPFvUn.dll
http://www.virustotal.com/gr/analisis/9a8cca76c8eb6ffdb119588a76b28ef5
File 3: wvUoNGvW.dll
http://www.virustotal.com/sl/analisis/e32612482b387d982a26d26d01b0a581
...
creates random dll files in windir/system32 in file sizes of: 33920 bytes

Report:
http://www.virustotal.com/de/analisis/d72bd3a90c53dfc9692b8323644aed27
another one with PeCompact:
http://www.virustotal.com/de/analisis/b7d40621df8b33a41a6306a46d19297d

Active since more than 2 weeks, all AV products early warn systems failed. MS LiveOnCare as the only found Vundo and all possible variations all time long.





Kill dll by attached running processes (inside the process view), Unneded process just stop, terminate them! Shut down GUI, go dos command. You can now delete access the infected files! If nothing help, need to reboot with any boot cd, browse to the file and remove it. Check content of system restore folder,...

Latest Live OnCare: http://origin.dogfood.windowsonecare.com/cli/latest/setuponecare.exe
Homepage: http://www.windowsonecare.com/
Discussion Forum: http://forums.microsoft.com/WindowsOneCare/default.aspx

related links:
Process Explorer
Microsoft Windows Live OneCareSafety scanner
TrendMicro™ HijackThis™ Version 2.0.2
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis
Spybot-S&D
http://www.safer-networking.org/en/download/index.html

If you are on a Workstation Home PC, can reboot, Live OnCare cleans it 100%. It's free to download, 224 Days updates include with live account, later ~30 Euro/Year 3 or 5 PC's
Together with Spybot-S it's fixed by reboot! Clean rests in registry manually (there no targets anymore where they point to).
Some rest cleanings can be done with CCleaner v2.07.588 - Portable or Slim (all two builds are without toolbar) from: http://www.ccleaner.com/download/builds
for example:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\OpenWithList
ActiveX/COM Issue InProcServer32\C:\WINXP\system32\efccCtrs.dll HKCR\CLSID\{96134ABB-AD7C-4135-A927-329B735D524F}


By a system reboot the start up time will be longer as before. Run HijackThis and remove the last startup file entry:


Thats it, you are done!
=====================================================================================
Im very angry, its the 5th time I used another Antivirus and the protection failed, can't clean but not to bad it have at least give an alert of a few files. After I seen a running batch process dosbox, wallpaper background replaced with a fake message, screensaver installed looks like many more something like any player with the install pack I did run and lots of new files in win system dir. Sure I don't wait any longer if it's to feel that something was happen and beginn to stop running processes asap include open with process explorer and search all running dll's to terminate them. Small tools like Hijack this was not more execute, desktop background changed. The system dir I know very well. What end up there and have nothing lost in - no new dll's, exe or others than the OS and "known" files or its a bad program installer if it place files in a subfolder of \windows main dir. The temp folder should be the last moment by an installer when AV blocks it before it move out.
One more time its the day to trash an AV product cause it did not protect. I do not more belief what the other AV scanners shown more on possible founded viruses as MS Live On Care already does. It can be all false positive. I know that some scanners just dont want support to unpack and scan exe packers like Xcomp and FSG, MEW, Dwin UPack, PETITE and many more (Norman, Bitdefender, Ikarus, Rising....). The unpacking engine must work by an av. About this Im sure MS did a great job. Besides that if its a real Trojan it must be to see on the in/outgoing connection log to the net. Ikarus have a nice Lexicon of all packer what it can not unpack and list as virus. all files what have been packed with it begin by position 2099. to 2103. and continue by 2173. to 2187.: http://lexikon.ikarus.at/cgi-bin/lexikon.pl?lang=de&search_next=2000&search_letter=p Yoda and Themida included.

For thouse who likes ads all around, vundo can make a never ending show.

Shit tooks me near one hour until its finally complete removed. To be sure wipe, clean free space + sys restore. Checking all files again in Windows subfolders if they are not modificated, File info, versions, manufacture names, (file properties) that there is really nothing left. (screensaver files include dll, ocx, exe, sys...). Run baseline analyser things like that to get an overview. Avast AV have a great list of all files in that folders by Vendor name, Version etc.. so you see what is what or gabage in use or not.
I knew that vundo in all possible kinds with exe/dll packers *PE packed, ASPack, Thermida,... sometimes done with binder in a cab renamed as one exe, 2 exe inside one. the real program start with the virus exe,... Since a while it spread but never seen in installer packs so I did not upload to check 7..14 and more mb in one exe by virustotal before executing it and I wasn't have MS live on care installed on this pc.

11 comments:

Post a Comment

We would appreciate if you as readers of our blog, show us some feedback by signing up to this site with Friend Connect.
This will encourage us to publish updates in the future.

Archive

Dentoo.info - Hosting - Offering seedboxes and seedbox solutions

Connect

MoDs - BRD Push 2 Check Projects News all on one Page
Subscribe to rss feed! Powered By Blogger Creative Commons —
 Attribution-Noncommercial-No Derivative Works 1.0 Generic
GFC Accessibly Test

Site Stats Public Google Analytics stats

We respect your privacy. Your email address will never be shared with others.

My IP Address