Undetectable malware?

Comodo Internet Security - CIS AV False Positive/Negative Detection Reporting
#1

Found some malware which changes every time it is downloaded, making it nearly undetectable:
http://www.virustotal.com/analisis/fb510bf06b3da7554f9ea57d0e7d6395

Is it possible for the lab to create a generic signature?

DarthTrader

#2

can u pls upload it to camas to see the results…
thanks
Melih

#3

Hi Melih,

Here is the camas result:
http://camas.comodo.com/cgi-bin/submit?file=fca8223d14b8501073a1f8a2b97cc3c4678f08cf9e59b07364c6f45a181d7546

It is rated “not suspicious”, but I can assure you it is malware. Avira has a generic detection in the works but has not yet released it:

File ID  Filename Size (Byte) Result 
25294950  Web-MediaPlayer_s...01.zip 970.35 KB OK 

A listing of files contained inside archives alongside their results can be found below:

File ID  Filename Size (Byte) Result 
25294951  Web-MediaPlayer_s...01.exe  221.31 KB  MALWARE 
25294952  Web-MediaPlayer_s...03.exe  221.17 KB  MALWARE 
25294953  Web-MediaPlayer_s...02.exe  221.33 KB  MALWARE 
25294954  Web-MediaPlayer_s...04.exe  221.24 KB  MALWARE 


Please find a detailed report concerning each individual sample below:

 Filename Result 
 Web-MediaPlayer_s...01.exe  MALWARE 

The file 'Web-MediaPlayer_setup-001.exe' has been determined to be 'MALWARE'. Our analysts named the threat DR/NaviPromo.AB. The term "DR/" denotes a program that is able to place a virus or a malware discretely on a system.Detection will be added to our virus definition file (VDF) with one of the next updates. 

 Filename Result 
 Web-MediaPlayer_s...03.exe  MALWARE 

The file 'Web-MediaPlayer_setup-003.exe' has been determined to be 'MALWARE'. Our analysts named the threat DR/NaviPromo.AB. The term "DR/" denotes a program that is able to place a virus or a malware discretely on a system.Detection will be added to our virus definition file (VDF) with one of the next updates. 

 Filename Result 
 Web-MediaPlayer_s...02.exe  MALWARE 

The file 'Web-MediaPlayer_setup-002.exe' has been determined to be 'MALWARE'. Our analysts named the threat DR/NaviPromo.AB. The term "DR/" denotes a program that is able to place a virus or a malware discretely on a system.Detection will be added to our virus definition file (VDF) with one of the next updates. 

 Filename Result 
 Web-MediaPlayer_s...04.exe  MALWARE 

The file 'Web-MediaPlayer_setup-004.exe' has been determined to be 'MALWARE'. Our analysts named the threat DR/NaviPromo.AB. The term "DR/" denotes a program that is able to place a virus or a malware discretely on a system.Detection will be added to our virus definition file (VDF) with one of the next updates.

I bet you could guess the name of the website from the name of the file and download a few copies yourself. :slight_smile:

EDIT: Here is a ThreatExpert report:
http://www.threatexpert.com/report.aspx?md5=66eb197bb919b7527c41a18d8d8195ca

Regards,
DarthTrader

#4

UPDATE: This ■■■■■■ is now detected as SPR/Agent.BACR by Avira:
http://www.virustotal.com/analisis/9e4ca2d8dd5aea3264a08b6fedbe6946

Good job Avira! :-TU

#5

UPDATE2: I see that other vendors are starting to detect it as well:
http://www.virustotal.com/analisis/9849596781e2d960a0379d012d9eb7b3

And now Comodo, perhaps? ;D

#6

Hi,DarthTrader
Could you upload the sample to the forum,we wil l add it asap!

#7

Hi, lenosec,
Here is a siteadvisor report:
http://www.siteadvisor.com/sites/web-mediaplayer.com
From this, you should be able to download some copies yourself, but remember it changes each and every time it is downloaded. A generic detection must be created to stop it!

EDIT: Apparently I have upset the author of this program:

Stay tuned… :slight_smile:

DarthTrader

#8

Hi,DarthTrader
Thank you for reporting,we’ll add it as soon as possible!~

#9

Tested against the behavior blocker I use - caught it.

#10

Hi,DarthTrader
It is not a maleware by analyzing!

#11

Hi shaogang.he,

Please show us your analysis. Also, please check this link:
http://www.microsoft.com/windows/products/winfamily/defender/analysis.mspx

EDIT: Here is another link to check:
https://forums.comodo.com/virusmalware_removal_assistance/webmediaplayer-t11335.0.html

DarthTrader

#12

Hi,DarthTrade
We’ll confirm this again!
Thanks an Regards

#13

Hi,DarthTrader
Detection for submitted samples have been added. Please check in virus signature database 1090

Thanks!

#14

Hi shaogang.he,

Thanks for you efforts! Unfortunately, this file changes each and every time it is downloaded so newer samples do not appear to be detected:
http://www.virustotal.com/analisis/0ae9d3343744deeb38e401432225c6ea

Also, you will find other suspicious websites from the same company in this thread:
http://social.msdn.microsoft.com/Forums/en-US/iewebdevelopment/thread/82658938-c298-4593-9b24-0865327f4707

Samples from these sites are all detected generically by several AV vendors. Will Comodo join them with its own generic detection? :wink:

Regards,
DarthTrader

#15

This one was a fake russian player, basically a rogue “copycat” dropping a bunch of malwares/spywares.

( The real french player is ‘‘web media player’’ not ‘‘web mediaplayer’’ here http://www.azertysite.new.fr/ it is outdated )

If you got infected you can use Navilog1 or mbam