New Malware;Barely Detected;FlyCrypter & USG

This is in regards to a new Malware - at least it’s 90% likely that it’s some form of malware - that is currently undetected by any Anti-Virus/Anti-Malware/Anti-Trojan/etc program; At least according to Virustotal.

I found this download at a file sharing site. It was being shared as the “Portable” version of the software. Main problem here is, there isn’t a portable version of it. Something seemed suspicious about it, so I attempted to do a basic decompile/RE. Which is how I learned it was packed/encrypted with Fly Crypter as well as USG was probably used as well to create it. In case you don’t know what USG is, it stands for ‘Unique Stub Generator’. Below is a copy+paste of the information I gathered and used to get the file taken down from the file sharing site I located it on.

Software Creators/Producers valid website; hxxp://

The real software’s download / installation applications’ name is ringmk11.exe. The download page for it is as follows: hxxp:// .

Ringtone Maker.exe = ‘Fake one’
ringmk11.exe = ‘Real one’
Fake One MD5 : bd0d75198bc2c72237154ddc18b8da97
Real One MD5 : 91e78a3f36f07fbac7a27c45d90fb988
Fake one TimeStamp: 2011:04:18 02:21:44+02:00
Real one TimeStamp: 2010:10:30 22:54:54+02:00
Fake One Virustotal Results - encased in {} - Is as follows:
Real One Virustotal Results - encased in {} - Is as follows:

Anubis Report of Fake One - encased in {} - Is as follows:

Oh, by the way, the real software has an advertising - adware - program as part of the install application. Though I’m not sure if it will prompt you during installation to see if you want to install the advertising - adware - bit as well. The adware is ‘Adware.Facemoods.1’ according to Dr. Web. No other scanners picked up on the Facemoods Adware in the Real Ones’ Virustotal Scan. I’m including the Dr. Web Online File Chech URL as well - encased in {}. It’s as follows:


Scans I’ve done today - URL’s encased in {} - are as follows:

NoVirusThanks File Scan - {}

Jotti’s Virus Scan - {} (The first scan to actually show enough results that your average user might indeed believe it to be more than a false positive.)

New Virustotal Scan - {} (Note that this one is starting to receive more bad results. Also, it’s starting to be uploaded with different file names, so the spread of this infection is continuing)

Regarding these two URL scans: The file ‘Ringtone Maker.exe’ upon execution sends a Get command; GET /cfg.bin HTTP/1.1. Which is a Zeus configuration file.
URLVoid Scan - {Report Not Found | URLVoid}
ZeuS Tracker Scan - {}

This is where I submitted it to Valkery: {} (Which states 80% likely it’s clean. Though in the Dynamic Detection it states the following: Suspicious++ Report Url 2011-05-03 09:23:23 2011-05-03 09:23:23 2011-05-03 09:23:23) Oh, I also reported it as Malware.

That report URL is as follows: {}
Which is pretty much a copy+paste of the CIMA’s report from me uploading the file; which is as follows:

Hopefully this is plenty of information to get this file set as malicious and start the process of creating signatures/heuristics for this particular file as well as some analysis going to the FlyCrypter and USG being used.

If you need any other information regarding this file and or any other sort of questions for me, just ask and I shall respond.

Oh, I forgot to mention that Comodo Internet Security Premium completely updated with settings set to the max are not reporting that this file is malicious at all. CIS just gives an “all clear” on it.

I’m going to be fixing a computer for the next hour or so, so I won’t be online to respond for a bit. I’ll log on to check to see if theres any questions or if there has been any progress done regarding this file once I’m done.

Hi RGentle,

Detection for reported file is available with DB 8567. Please update and confirm it.

Thanks and Regards,

Confirmed. Upon opening the file folder where the executable was located, Comodo Internet Security Pro popped up a “Warning” message - incredibly fast as well, darn near instantaneously - stated that the executable was infected with Zeus/Spy.

Heh. CIS was actually detecting it as Zeus/Spy for about 6 hours prior to your post.