Just to make it easy, the purpose of this topic is explained in the second sentence of the OP post.
Regardless of how it happens it's important to take action against this. [b]If you find malware that is whitelisted[/b], but seems suspicious, please report it here. The name of the trusted vendor, or any other information, is also useful.When it says [b]whitelisted[/b] it means whitelisted by Comodo.
Thank you
Dennis
Generic.Trojan - Certificate “issued” by Comodo
Fake AV
Some suspicious/malicious Indicators : Matched Compiler/Packer signature (Microsoft visual C++ 7.0) , PE file has unusual entropy sections , Reads the active computer name , Reads the cryptographic machine GUID , Reads the system/video BIOS version , Reads the windows installation date , Queries sensitive IE security settings , Tries to obtain the highest possible privilege level without UAC dialog , Hooks API calls (NtCreateUserProcess@NTDLL.DLL in “Input Sample”) , Process launched with changed environment (iexplorer.exe was launched with changed environment ) , Opens the Kernel Security Device Driver , Checks network status using ping , Contacts 2 domains and 2 hosts , HTTP request contains Base64 encoded artifacts , Multiple malicious artifacts seen in the context of different hosts
Hi pio,
Thank you for your submission.
We’ll check them and if found to be malware detection will be added.
Best regards
Qiuhui.■■■■
no stress … !!! 
But please dont forget these files …
[quote author=pio link=topic=117715.msg859278#msg859278 date=1495329336]
PUA.Variant.InstallCore - Certificate “issued” by Global Sign
VT Detection Rate : 35/61
PUA.Variant.Auslogics - Certificate “issued” by Symantec & VeriSign
VT Detection Rate : 12/61
Hi pio,
Thank you for your submission.
We’ll check them and if found to be malware detection will be added.
Kind Regards,
Erik M.
PUA/Trojan.Variant.Kryptik - Certificate “issued” by Comodo
Some suspicious/malicious Indicators : Matched Compiler/Packer signature (visual C++ 7.0) , PE file has unusual entropy sections , Entrypoint in PE header is within an uncommon section , Reads the cryptographic machine GUID , Reads the windows installation date , Reads the registry for installed applications , Tries to obtain the highest possible privilege level without UAC dialog ,
Modifies proxy settings , Queries sensitive IE security settings , Interacts with the primary disk partition , Executes WMI queries , Hooks API calls (NtCreateUserProcess[at]NTDLL.DLL in “Input Sample”) , Process launched with changed environment (iexplorer.exe , cmd.exe) , Opens the Kernel Security Device Driver , Contacts 2 domains and 1 host , HTTP request contains Base64 encoded artifacts , Malicious artifacts seen in the context of a contacted host
Hi pio,
Thanks for your submission. We’ll check the files and add detection if necesarry.
Best regards,
Andrei Savin
Trojan/PUA.Variant.Kryptik - Certificate “issued” by Comodo
Some suspicious/malicious Indicators : Matched Compiler/Packer signature (visual C++ 5.0) , PE file has unusual entropy sections , Reads the active computer name , Reads the cryptographic machine GUID , Reads the system/video BIOS version , Reads the windows installation date , Reads the registry for installed applications , Interacts with the primary disk partition , Modifies proxy settings , Queries sensitive IE security settings , Hooks API calls ( NtCreateUserProcess[at]NTDLL.DLL7 in “Input Sample”) , Opened the service control manager , Sent a control code to a service ( Input Sample called “ControlService” and sent control code “0X400” & “0X24” to the service "CryptSvc > “iexplore.exe” called “ControlService” and sent control code “0X24” & “0XDC” to the service “WSearch”) , Runs shell commands , Opens the Kernel Security Device Driver , Checks network status using ping , Contacts 1 domain and 1 host , HTTP request contains Base64 encoded artifacts , Malicious artifacts seen in the context of a contacted host ( found TROJAN LoadMoney Checkin 3)
Hi pio,
Thank you for your submission.
We’ll check them and if found to be malware detection will be added.
Best regards
Qiuhui.■■■■
Trojan.Variant.Spy.Ursnif - Certificate “issued” by Comodo
Some suspicious/malicious Indicators : PE file has unusual entropy sections , PE file contains unusual section name , Reads the active computer name , Reads the cryptographic machine GUID , Scanning for window names , Contains native function calls , Makes a code branch decision directly after an API that is environment aware , Reads terminal service related keys , Accesses Software Policy Settings , Accesses System Certificates Settings , Spawns new processes ( Spawned process “svchost.exe” with commandline "%WINDIR%\system32\svchost.exe ) , Contacts 1 host
Hi pio,
Thank you for your submission.
We’ll check them and if found to be malware detection will be added.
Best regards
Qiuhui.■■■■
PUA.XportOptimizer. - Certificate “issued” by Comodo and Vendor is also classified as trusted !!! ( especially dangerous for TVL users )
Some suspicious/malicious Indicators : Matched Compiler/Packer signature ( Nullsoft PiMP Stub → SFX ) Reads the active computer name , Reads the cryptographic machine GUID , Scanning for window names , Possibly checks for the presence of 5 Antivirus engines , Reads the registry for installed applications , Accesses potentially sensitive information from local browsers , Accessed IE Quick Launch directory , Contains ability to elevate privileges , Modifies proxy settings , Queries sensitive IE security settings , Possibly tries to implement anti-virtualization techniques , Drops executable files , Installs hooks/patches the running process , Opens the Kernel Security Device Driver , Contacts 1 domain and 1 host , HTTP request contains Base64 encoded artifacts , Malicious artifacts seen in the context of a contacted host
Hi pio,
Thank you for your submission.
We’ll check them and if found to be malware detection will be added.
Best regards
Qiuhui.■■■■
PUA-Adware - Certificate “issued” by Comodo
Some suspicious/malicious Indicators : Timestamp in PE header is very old or in the future ( from Fri Jul 10 22:50:17 1992 ) , PE file has unusual entropy sections , Looks up many procedures within the same disassembly stream ( Found 11 calls to GetProcAddress[at]KERNEL32.DLL at PID 00002908 ) , Contains ability to open the clipboard , Contains ability to retrieve keyboard strokes , Touches files in the Windows directory , ( API Calls from Input Sample >>> touched file %WINDIR%\Fonts\staticcache.dat , %WINDIR%\system32\en-US\user32.dll.mui , %WINDIR%\Globalization\Sorting\sortdefault.nls" ) , Opens the Kernel Security Device Driver , Found potential IP address in binary/memory (127.0.0.1) ,
Trojan.Variant.Kryptik - Certificate “issued” by Comodo
Some suspicious/malicious Indicators : Matched Compiler/Packer signature ( Microsoft visual C++ v6.0 ) , PE file has unusual entropy sections , Contains ability to query CPU information , Reads the active computer name , Possibly tries to implement anti-virtualization techniques (against vmware) , Queries physical drive , Interacts with the primary disk partition , Found a dropped file containing the Windows username , Accesses potentially sensitive information from local browsers ( Input Sample had access to "%APPDATA%\Microsoft\Windows\Cookies\index.dat and %APPDATA%\Microsoft\Windows\IETldCache\index.dat ) , Modifies proxy settings , Queries sensitive IE security settings , Touches files in the Windows directory , Runs shell commands , Opens the Kernel Security Device Driver , Contacts 2 domains and 2 hosts , HTTP request contains Base64 encoded artifacts , Malicious artifacts seen in the context of a contacted host
Hi,pio
Thank you for your submission.
We’ll check them and if found to be malware detection will be added.
Best regards
Chunli.chen
Generic.PUA - Certificate “issued” by Comodo and Vendor is also classified as trusted !!!
Some suspicious/malicious Indicators : Matched Compiler/Packer signature ( Microsoft visual C++ 5.0 ) , Reads the active computer name , Reads the cryptographic machine GUID , Reads the windows installation date , Reads the registry for installed applications , Reads Windows Trust Settings , Found an indicator for a scheduled task trigger , Possibly checks for the generally presence of an Antivirus engine , Possibly tries to implement anti-virtualization techniques ( if ([ /virtualbox/i, /vmware/i ].some(function(reg) {" (Indicator: “vmware”) , Drops executable files , Modifies proxy settings , Queries sensitive IE security settings , Accesses Software Policy Settings , Accesses System Certificates Settings , Writes data to a remote process ( Input Sample wrote bytes to a foreign process "%WINDIR%\System32\wscript.exe - DriverPack.exe wrote bytes to a foreign process "%WINDIR%\System32\cmd.exe > mshta.exe > wscript.exe , Process launched with changed environment ( Process “wscript.exe” was launched with new environment variables ) , Runs shell commands , Opens the Kernel Security Device Driver , Tries to GET non-existent files from a webserver , Contacts 6 domains and 8 hosts , HTTP request contains Base64 encoded artifacts , HTTP Request to .su TLD (Soviet Union) , HTTP Executable Download from suspicious domain with direct request/fake browser (multiple families) , WinHttpRequest Downloading EXE
and please dont forget these … :
PUA-Adware - Certificate “issued” by Comodo
Trojan.Variant.Kryptik - Certificate “issued” by Comodo
Hi pio,
Thank you for your submission.
We’ll check them and if found to be malware detection will be added.
Best regards
Qiuhui.■■■■
Another “fully trusted” malicious file :
Generic.PUA - Certificate “issued” by Comodo and Vendor is also classified as trusted !!!
Some suspicious/malicious Indicators : Matched Compiler/Packer signature ( Microsoft visual C++ 5.0 ) , Reads the active computer name , PE file has unusual entropy sections ,
Queries volume information of an entire harddrive , Reads the registry for installed applications , Modifies proxy settings , Queries sensitive IE security settings , Drops multiple executable files , Spawns a lot of processes , Process launched with changed environment , Opens the MountPointManager , Opens the Kernel Security Device Driver , Touches files in the Windows directory , Installs hooks/patches the running process , Writes data to a remote process ( Input Sample wrote bytes to a foreign process “%WINDIR%\System32\cmd.exe” )
Hi pio,
Thank you for your submission.
We’ll check them and if found to be malware detection will be added.
Best regards
Qiuhui.■■■■
UPDATE Added Valkyrie Link !!!
PUA.Variant.Installcore - Certificate “issued” by Comodo
Some suspicious/malicious Indicators : Matched Compiler/Packer signature ( Borland Delphi 4.0 ) , Found Delphi 4 - Delphi 2006 artifact ( “filedata.exe.bin” has a PE timestamp using the buggy magic timestamp 0x2A425E19 ) , CRC value set in PE header does not match actual value , PE file contains zero-size sections , Opens the Kernel Security Device Driver , Touches files in the Windows directory , Found potential URL in binary/memory ( Pattern match: “h**p://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline” > Heuristic match: "OUP=folder name Overrides the default folder name. > /NOICONS Instructs Setup to initially check the “Don’t create a Start Menu folder check box”. > /TYPE=type name Overrides the default setup type. > /COMPONENTS=comma separated list of component names