Thursday, June 11, 2009

New malware detected!

Receive a virus on Tuesday and did a simple behaviour analysis. It seems to be a relatively new virus as major AV tools (such as McAfee, TrendMicro, Kaspersky, F-secure..) were not able to detect it.

File: 1.exe
Size: 1033728
MD5: 19AB525B9AF6CBB40F428115E8148522
Virus Found: Trojan.Dropper (Symantec), Win32/Heur (AVG), TR/Crypt.FKM.Gen (AntiVir), Mal/EncPk-EE (Sophos)

On the VirusTotal website, only 20 out of 40 AV detected it (details).

The Trojan will modify the PCIDump service, add several .sys files such as acpiec.sys into your C:\Windows\system32 folder. It will also copy itself and add a autorun.inf to C:\. Phpi.dll will be added into C:\Windows folder.

It changes the Hosts file and try to connect to www.cvbasefwdase.cn via HTTP to download other files. Likely to be trying to download more malicious payload.

For more details on my finding, visit W01f Labs - Malware Analysis: Trojan.Dropper

No comments: