bypass v5.10.228257.2253 (dll malware, QQ pass)

[Guest]

[languy99]

so from what I can tell this is what is happening, a trusted file is loading malware into memory and if the AV does not catching it, it would bypass. Is that what you are saying?

[a256886572008]

another sample:



enlpu.dll (50.1MB)
https://valkyrie.comodo.com/Result.html?sha1=929f6b272fc399fb1abc06801d52e844685f83fd&&query=0&&filename=enlpu.rar

https://www.virustotal.com/file/b7bc60780855a01e1f81853a279b6b53fbe528e1a1f5ac931b95859e84a9ba9d/analysis/1337665988/

MSUpdates.exe
https://valkyrie.comodo.com/Result.html?sha1=f7f57137a029457f132ae63c1b41eac24ac21524&&query=0&&filename=msupdates.exe

https://www.virustotal.com/file/239eee98bbcc692f13bffb4d01eb5588b69c75c3e97587f428ca6042d53fb573/analysis/1337666274/

---------------------------------------------------

2012-05-22 15:14:22   C:\Documents and Settings\Roger\桌面\virus\WindowsUpdate\MSUpdates.exe   Sandboxed As   Partially Limited   

2012-05-22 15:14:24   C:\Documents and Settings\Roger\桌面\virus\WindowsUpdate\MSUpdates.exe   Modify Key   HKUS\S-1-5-21-1993962763-796845957-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable   

2012-05-22 15:14:24   C:\WINDOWS\Explorer.EXE   Sandboxed As   Partially Limited   

2012-05-22 15:14:25   c:\hds1.exe   Sandboxed As   Partially Limited   

2012-05-22 15:14:27   C:\WINDOWS\system32\conime.exe   Sandboxed As   Partially Limited   

2012-05-22 15:14:27   c:\hds2.exe   Sandboxed As   Partially Limited   

2012-05-22 15:14:30   c:\hds3.exe   Sandboxed As   Partially Limited   

2012-05-22 15:14:30   C:\Documents and Settings\Roger\桌面\virus\WindowsUpdate\MSUpdates.exe   Access Memory   C:\WINDOWS\explorer.exe   

2012-05-22 15:14:44   C:\WINDOWS\system32\userinit.exe   Modify Key   HKUS\S-1-5-21-1993962763-796845957-1801674531-1003\Software\Microsoft\Windows NT\CurrentVersion\Windows\Device   

2012-05-22 15:14:52   C:\WINDOWS\system32\userinit.exe   Access COM Interface   \RPC Control\spoolss  

[languy99]

turning security to proactive will stop that, in the stock internet security mode the firewall lets anything out basically.

[a256886572008]

turning security to proactive will stop that, in the stock internet security mode the firewall lets anything out basically.

Because CIS trusts the MSUpdates.exe, it was bypassed by the malware.

[EricJH]

MSUPdates.exe is not trusted as it gets sandboxed. Or did you sandbox if manually for testing or instruction purposes?

[a256886572008]

MSUPdates.exe is not trusted as it gets sandboxed. Or did you sandbox if manually for testing or instruction purposes?

I add it to the list, "always sandbox"

[languy99]

go to the firewall tab, firewall behavior settings and turn off "Do not show popup alerts" does it still have access while in the sandbox?

[a256886572008]

go to the firewall tab, firewall behavior settings and turn off "Do not show popup alerts" does it still have access while in the sandbox?

1. The configuration was "CIS"

2.The firewall was in "safe mode"

3.So, there were no firewall alerts

[languy99]

that is not what I asked you to check.

[a256886572008]

test the malware with DW:

1.DW trusts this file

"photo.exe"



2.DW untrusts another file

"MSDTCTM.dll"




3.The user double clicks on the photo.exe

4.result: DW untrusts the photo.exe

[Tags:]