New trojan

Dinesh · 09 Nov 2009

Hi, there's this new trojan which I found on a website.
Its filename is Bookmark.exe.
Strange is that only 22/40 anti malware engines were able to detect it.
Currently, I was trying Norton 360 beta 4 which has failed to detect it.

So far, this trojan has changed my IE8 homepage. Not sure what else it will do.

Here's the Virustotal link about the file analysis :
Virustotal. MD5: edc631287a36a3b91990ec4f90fd7dc2 Trojan.Pasta.dyq Generic.Malware.sp!.20613D67 Generic.Malware.sp!.20613D67

Edit: I ran a quick scan from Vipre AV and it has detected everything of this trojan.
Also, this trojan tried to execute itself and Vipre deteted it.

Creer · 09 Nov 2009

Dinesh said:

Hi, there's this new trojan which I found on a website.
Its filename is Bookmark.exe.
Strange is that only 22/40 anti malware engines were able to detect it.
Currently, I was trying Norton 360 beta 4 which has failed to detect it.

So far, this trojan has changed my IE8 homepage. Not sure what else it will do.

Here's the Virustotal link about the file analysis :
Virustotal. MD5: edc631287a36a3b91990ec4f90fd7dc2 Trojan.Pasta.dyq Generic.Malware.sp!.20613D67 Generic.Malware.sp!.20613D67

Edit: I ran a quick scan from Vipre AV and it has detected everything of this trojan.
Also, this trojan tried to execute itself and Vipre deteted it.

Yes you see now why AV never reach 100% in detection of new malware - this is also what I was talking about in this post: https://www.sevenforums.com/366139-post8.html

BTW. score 22/40 isn't so bad, what if you catch virus which was created few hours/weeks ago with AV detection rate equal... 0/40 or 4/39... like in this example: Virustotal. MD5: 5a34fd85bdac65d50a56a2c69228a726 Packed.Generic.187 VirTool:Win32/Obfuscator.EF High Risk Fraudulent Security Program

Your protection should start from first very important layer:
1. Prevention
then... detection and then cure.

Dinesh · 09 Nov 2009

Creer said:

Dinesh said:

Hi, there's this new trojan which I found on a website.
Its filename is Bookmark.exe.
Strange is that only 22/40 anti malware engines were able to detect it.
Currently, I was trying Norton 360 beta 4 which has failed to detect it.

So far, this trojan has changed my IE8 homepage. Not sure what else it will do.

Here's the Virustotal link about the file analysis :
Virustotal. MD5: edc631287a36a3b91990ec4f90fd7dc2 Trojan.Pasta.dyq Generic.Malware.sp!.20613D67 Generic.Malware.sp!.20613D67

Edit: I ran a quick scan from Vipre AV and it has detected everything of this trojan.
Also, this trojan tried to execute itself and Vipre deteted it.

Yes you see now why AV never reach 100% in detection of new malware - this is also what I was talking about in this post: https://www.sevenforums.com/366139-post8.html

BTW. score 22/40 isn't so bad, what if you catch virus which was created few hours/weeks ago with AV detection rate equal... 0/40 or 4/39... like in this example: Virustotal. MD5: 5a34fd85bdac65d50a56a2c69228a726 Packed.Generic.187 VirTool:Win32/Obfuscator.EF High Risk Fraudulent Security Program

Your protection should start from first very important layer:
1. Prevention
then... detection and then cure.

very well stated.

jimbo45 · 09 Nov 2009

Dinesh said:

Hi, there's this new trojan which I found on a website.
Its filename is Bookmark.exe.
Strange is that only 22/40 anti malware engines were able to detect it.
Currently, I was trying Norton 360 beta 4 which has failed to detect it.

So far, this trojan has changed my IE8 homepage. Not sure what else it will do.

Here's the Virustotal link about the file analysis :
Virustotal. MD5: edc631287a36a3b91990ec4f90fd7dc2 Trojan.Pasta.dyq Generic.Malware.sp!.20613D67 Generic.Malware.sp!.20613D67

Edit: I ran a quick scan from Vipre AV and it has detected everything of this trojan.
Also, this trojan tried to execute itself and Vipre deteted it.

Hi there
How about publishing the website so this can either be Blacklisted or checked with other programs (or both) or even better to see if one's own computer is resistant against the infection.

Publishing that trojan xxxx can or cannot be detected isn't of any use to man or beast unless you can give some indications as to where and how the infection arose.

Some of the analyses on the Security forum are just like asking the question "How long is a piece of String".

Cheers
jimbo

RichFrogg · 09 Nov 2009

Dinesh,

Have you tried detecting it with MSE?

Barman58 · 09 Nov 2009

Jimbo, Dinesh,

I would prefer if this was not posted in the open - no problem to send it via a PM but things in the open could cause problems to less experienced users

Dinesh · 10 Nov 2009

Barman58 said:

Jimbo, Dinesh,

I would prefer if this was not posted in the open - no problem to send it via a PM but things in the open could cause problems to less experienced users

I agree hence i didnt post the link in the forum.

@richfrogg:
I have tried scanning it with MSE and it didnt detect it.

Crispy · 10 Nov 2009

No Anti-Virus software out there is 100% full proof no matter what they say, its just to with sales.
Its just a endless cycle that will never end.

z3r010 · 10 Nov 2009

Barman58 said:

Jimbo, Dinesh,

I would prefer if this was not posted in the open - no problem to send it via a PM but things in the open could cause problems to less experienced users

Just to make this completely clear - ANYBODY that posts a link to any form of Virus/malware will get an instant life ban on all our sites.

Where viruses etc are concerned we have a zero tolerance policy.

Jacee · 10 Nov 2009

This has now been re-named to Trojan.StartPage.SSSPP ... This is a 'start page' hijacking.

URL's are changed all the time so this infection could be just about anywhere the site owner doesn't keep up with good surveillance and security.