Thursday, August 16, 2007

Security: undetected trojan - svhost.exe

Some people really believe their antivirus software is the best... Here's a proof that they're not. This malware (trojan) is packed with Themida, which most antivirus companies have not yet bothered to include in their blacklists. Not that I'm saying it's good to blacklist packers, but at times I really wonder if it's better than waiting for someone to use it, pack their malware and start spreading it.

Spammer: Fetitz{-A-}!
Message: poze cu mine si filumete de sex cu mine si pe cine intereseaza id meu sexyandreeeaaa pt cei care vor o noapte frt ieftin :) pt mai multe detali intrati pe id meu :) fac si masturbare prin web ce doriti voi :) (language = romanian, filename = album.rar)

album.rar contained poze.exe, which I've sent to be analyzed using the Anubis project, here are the results.
The executable creates a connection with Undernet IRC Network, waiting for its creator to remotely control and abuse!

Main program: C:\Windows\system32\svhost.exe (the legit one Windows uses is svChost.exe)

MD5 Hashes:
7560272abe35a5b1092779f407c7f03c poze.exe
efc6a66e2884e2d77dab32f7725f31d4 album.rar

I've tried to upload the program to the Kaspersky website, and guess what - it doesn't allow more than 1MB to be uploaded. The archive/executable were about 1.4MB.

Removal tool: Cwean antimalware package


Cd-MaN said...

AV can not perfect by its very nature (how can know about something malicious which hasn't even been created yet?). That's why there are complementary solutions like defense in depth (running as non-admin for instance - which would have stopped this in notime), HIPS and common sense :).

AV exists because people want freedom and would not stand for a centralized white-list, although for many this would be the perfect solution (IMHO).

Finally a little plug: you can use a perl script ( which I developed to upload files to VT and automatically generate reports of results.

PS. Virustoal actually distributes the samples to the vendors who don't detect it.

Unknown said...

I already made one using curl:
but yours seems way better, I'll have to try it out! thanks a lot! :)

This will be made available to the other members of the security teams I'm in.