PDA

View Full Version : xp antivirus



dj.turkmaster
2008-09-01, 01:54
10 minutes ago i have downloaded a new variant of xp antivirus and is not detected by spybot neither antivir nor clamAV :( . But i can't send these files over gmail even though i have zipped and set a password to the zip file. It looks impossible for me to send the samples to spybot. I have tried to send other undetected samples before but i again wasn't able to :( Please advise.

Happy-Dude
2008-09-01, 06:15
Darn, this is pretty tough rogue malware. (Why the heck did you download the varient without reading user experiences first :sad: !!)

Alright, this is gonna take some major steps.

Follow http://forum.avast.com/index.php?topic=38157.msg319553#msg319553 for some info on removing it. There is a blog link that I posted there than has more manual remove things.

Also follow http://forum.avast.com/index.php?topic=38254.0 .

If you can, (I dunno if you can do it on Safer-Networking forums,) post a HiJackThis log.
Please do NOT post hjt logs in the Spybot forum, (http://forums.spybot.info/showthread.php?t=1266)

Post back ASAP. This new variant is really difficult for anti-malware to remove.

tashi
2008-09-01, 07:03
Hello Happy-Dude,

"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

As you will see, we do not encourage members to apply fixes given to another user. ;) All help in the malware forum is provided one on one.

FYI, dj.turkmaster is collecting files for our detectives' attention.

Cheers.

dj.turkmaster
2008-09-01, 12:30
Happy-Dude:
I am also a hijackthis analyzer :) I didn't get infected I only have the sample.

Tashi:
When we discussed this xp antivirus malware in our forums we have seen that there are lots of variants of this malware. For example my friend has 3 samples and these are the virustotal results:
http://www.virustotal.com/tr/analisis/f3f4acaf7d85ae40d24028551e9ec507
http://www.virustotal.com/tr/analisis/6330ceb7fc47b8b38e0f55cf7215387d
http://www.virustotal.com/analisis/92fd3aeb80e0f3279c46e5b5e7eb807e

and this is the one which i have downloaded last night:
http://www.virustotal.com/tr/analisis/6111f145c4fed225fcdf86f9e76b86b1

Any advice of how i can send these samples to the detectives?

tashi
2008-09-01, 17:59
Hi dj.turkmaster,

But i can't send these files over gmail even though i have zipped and set a password to the zip file.

Is gmail preventing your sending the files, or is gmail not being accepted our end?

dj.turkmaster
2008-09-01, 18:25
Hi Tashi,
It gives an error saying "setup.zip contains an executable file. For security reasons gmail does not allow you to send this type of file"
As I have said before it is zipped and password protected and inside the zip there is an .exe file.

tashi
2008-09-01, 19:01
Hi there,

You don't have another email address you can use other than gmail? :)

dj.turkmaster
2008-09-01, 19:21
I only have gmail tashi. But now I have sent the mail by using my brother's hotmail adress. I didn't want to use his adress. Well whatever i have sent it. :) I also scanned the while at virustotal, virscan.org and jotti. Do you get samples from there and even if you get the samples, is sending the file directly to detections(at)spybot.info a better way?

tashi
2008-09-01, 19:40
Hello, :)

Vendors share certain lists, but a detective would be the best one to answer your question so I left a message for their attention.

Cheers.

dj.turkmaster
2008-09-01, 20:01
I only have gmail tashi. But now I have sent the mail by using my brother's hotmail adress. I didn't want to use his adress. Well whatever i have sent it. :) I also scanned the while at virustotal, virscan.org and jotti. Do you get samples from there and even if you get the samples, is sending the file directly to detections(at)spybot.info a better way?

while=file btw :D I dont know why i wrote like that :D
Well thanks for your help tashi. I think I will have to use my brother's mail adress for sending samples from now on.

Happy-Dude
2008-09-01, 22:31
Ah I understand now. Sorry about that, then ;) .