Hey I was testing defence+ against malware from the malware domain list and found a trojan that passes straight through and loads the process “load.exe” into memory, I put defence+ into paranoid mode and tried to load the trojan again and recieved a yellow pop-up saying that “explorer.exe is a safe application. load.exe is also a safe application, you can safely allow this request” im shocked that defence+ says that a known trojan is a safe application, thanks hope this is fixed as im a fan of Comodos software.
Avast detects the trojan as Win32:Malware-gen.
Malware:
http://camas.comodo.com/cgi-bin/submit?file=42fdb8be709abed7a12a8c76e9e4ff5b85a54c659862c59a25b2f09baebef0df
do you have sandbox on or off?
Off was purely testing defence+, as it creates the key CU\Software\Microsoft\Notepad it appears to disguise itself as the Notepad application in order to bypass defence+
Anubis:
http://anubis.iseclab.org/?action=result&task_id=16ab3068392d19034354fe8932009f34e&call=first
Can you submit it to virustotal and paste the link?
I’m wondering how other AV’s classify this.
here is my thing, ok it created the registry key and can run in memory but can it do anything to the system? Can it download things? Can it try to steal your data? See if you can find this out.
When i submitted the load.exe file it appeared as notepad.exe when virustotal analiyzed :
http://www.virustotal.com/analisis/42fdb8be709abed7a12a8c76e9e4ff5b85a54c659862c59a25b2f09baebef0df-1274277361
Also it has the notepad icon but uses a strange arabic type language.
This is what i got when i submitted it to sunbelt for analysis…its odd it never shows up under the name of the file on my desktop ???
Screenshot: http://img25.imageshack.us/img25/9923/desktoprv.jpg
Sample of the text you get when its launched: Блокнот
Reason for claimed Avast detection (Win32:Malware-gen) remains unclear though it appears the malware domain list URL directly linked a full executable (load.exe).
Comodo malware analysts confirmed the executable in question as a legitimate copy of notepad whenever otherwise renamed.
