Known malware allowed to run

R

Retired

I have a malware sample on my desktop named install_cn.exe which is
detected by Microsoft as TrojanDownloader:Win32/Small.ZZB (this is from
a Virustotal result - see below). Using Sandboxie, I executed the file
and Windows Defender did nothing to stop it. Is this normal behaviour
for WD? Thanks for your help.

Virustotal result:
www.virustotal.com/analisis/9e2cae813e8514ecf61e19f92829811c

Result: 7/32 (21.88%)

File install_cn.exe received on 02.11.2008 00:28:41 (CET)
Antivirus Version Last Update Result
Avast 4.7.1098.0 2008.02.10 Win32:Agent-LTS
AVG 7.5.0.516 2008.02.10 Downloader.Zlob
ClamAV 0.92 2008.02.10 Trojan.Dropper-4103
DrWeb 4.44.0.09170 2008.02.10 Adware.Supa
Kaspersky 7.0.0.125 2008.02.11 not-a-virus:AdWare.Win32.Vapsup.azp
Microsoft 1.3204 2008.02.10 TrojanDownloader:Win32/Small.ZZB
VBA32 3.12.6.0 2008.02.10 suspected of Downloader.Zlob.7

Additional information
File size: 361158 bytes
MD5: 7242e876564fdb008db749710fc87a92
SHA1: c1c6e287c47d744d8d549a0c81a065a5ce133037
PEiD: -
 
R

Retired

Thanks for your reply, Dave. Perhaps my post was not as complete as it
should have been. This malware is detected and deleted by a WD scan. I
then extracted a copy from a password protected zip archive and ran it
sandboxed. According to the comparison chart in your last link, WD
"helps protect" against such malware, but did not stop it from running.
I do not understand this behavior. What is meant by "helps protect"?

Just to be certain, I ran another quick scan and the file was detected
and deleted again.
 
D

Dave M

I'm not a Sandboxie user, so correct me if I'm wrong here, but wouldn't the
Detecting/Removing application also have to be running within the sandbox
for it to work? Otherwise, I would think the sandboxed malware is isolated
from the real system entirely where Defender normally runs since your only
running a copy and any security application that can do the detection
normally should never see it let alone remove it. Actually, I'm somewhat
surprised that Defender picks it up at all even outside the sandbox, as the
Malware Protection Center specifically refers to the anti-virus engine
detection, not to Defender the anti-spyware engine.

http://www.microsoft.com/security/portal/Entry.aspx?ThreatId=-2147367411

Do any of your other security apps nab it in the sandbox or only in the
real world?

The SandBoxie forums may have a better handle on your question because
almost everyone with a modern Operating System has Defender, and not so
many have SandBoxie to be able to answer knowledgeably.
 
R

Retired

Good morning, Dave! :)

I have AntiVir free which now nails this nasty on access after a
signature update this morning from Avira. Just for fun, I switched off
Antivir's real-time protection ran the trojan sandboxed once again.
Comodo firewall once again did its job of stopping the suspicious file
activity pending a decision from me. I then switched AntiVir real time
protection back on which instantly alerted me to the trojan within the
sandbox and attempted to delete it. The thing kept re-creating itself
and AntiVir kept deleting it. WD did nothing. I killed the whole
process in the sandbox.

Now hold onto your chair. After setting Comodo to paranoid mode, I
executed the trojan without using Sandboxie or AntiVir real time
protection. WD did nothing, Comodo suspended it pending a response from
me, I killed it using Process Explorer.

Now that Sandboxie has been taken out of the picture, only the question
of WD's protection remains. I installed WD "complete" with default
settings, real time protection on. I was hoping it would provide
protection for what AntiVir misses, but perhaps I am not understanding
how it is supposed to work.

I also checked the link to Microsoft below and do not see where the
"Malware Protection Center specifically refers to the anti-virus engine
detection, not to Defender the anti-spyware engine."

Thanks for your input on this matter.
 
D

Dave M

Let me ask if you're Windows Defender Icon always is shown in the System
Tray notification area? I had someone report a while ago that he never got
WD real-time notifications, so I had him run the EICAR non-malignant test
file which Defender should pick up in real time (any Anti-Virus will detect
it also, so he had to disable his A-V) Still he got no Bubble alert from
Defender. but when he selected ALWAYS show the notification area icon on
the WD options window (scroll down), the red warning bubble alert popped up
from real-time Defender. You may want to run the EICAR test yourself to
make sure real-time alerts display... visit http://eicar.org , download the
68 byte file eicar.com.txt, and copy it to your startup folder. Your AV
solution (that you should be running *IN ADDITION* to Windows Defender)
will also pick it up.

Here's the malware protection center blurb with the referenced engine in
CAPS...
Summary
This threat is classified as a Trojan - Downloader. A downloader trojan
accesses remote websites in an attempt to download and install malicious or
potentially unwanted software. Some downloader trojans target specific
files on remote websites while others may target a specific URL that points
to a website containing exploit code that may allow the site to
automatically download and software or malicious code on vulnerable
systems. THIS THREAT IS DETECTED BY THE MICROSOFT ANTIVIRUS ENGINE.
Technical details are not currently available.
 
R

Retired

Good points, Dave. I should have thought of that eicar test myself. I
did in fact have the WD icon set to be always shown in the Systray.

Anyway, I made the decision to uninstall WD and AntiVir and install AVG
which has a better scanning engine apparently. When AntiVir scanned the
container executable install_cn.exe, nothing was detected. However,
when I extracted the files within using 7zip, AntiVir detected one of
the files as a trojan. AVG detects the container and several files
within as trojans, so I think I have a better AV installed today than
yesterday. If you like, I can pm you the download link for the malware
file and you can test it yourself. The file changes several times a day
to avoid detection by most AVs.

Thanks again for your time and effort.
 
D

Dave M

Another think to consider, there are so many compression routines available
that I don't think that they will all be covered or licensed by any one
security application. In addition to the standard RAR and ZIP formats that
everyone can unpack there are all the packaging formats both commercial and
freeware that could potentially hold undetectable malware. For example
Javacool uses the uncommon ARMADILLO for SpywareBlaster and that
installation package had to be totally skipped during a scan by the A-V
that I had been using. Even quarantined files can be compressed with
proprietary algorithms that are for the most part not able to be unpacked
or examined correctly when sent to the multi-scanners Virus Total or Jotti
(thanks again for that experiment Alan).
 
D

Dave M

Hi Ron;

Substitute the appropriate number/symbol for the CAPs in my munged email
addy. and that should work.
 
A

Alan D

:

Even quarantined files can be compressed with
proprietary algorithms that are for the most part not able to be unpacked
or examined correctly when sent to the multi-scanners Virus Total or Jotti
(thanks again for that experiment Alan).
Click to expand...

Well, that raised a smile. My pleasure, Dave. I just need to think of
another few thousand similar experiments and then I might have a chance of
catching up the number of times you've helped me!
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

*You have a postcard* e-mails - been a while 14
Korean AV vendor AhnLab now a part of Virus Total 3
malware analysis 6

Top