Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

September 15th, 2010

Accurate file names

It is always nice when we know what a file does, where it comes from, etc. Most of the time spent on deeper file (samples) analysis goes to uncovering this information. But, sometimes we don’t have to try when everything is obvious like in this case:

fp submission

Sality is a file infector, quite “popular” in the last few years and here it seems to reside under a direct download link. Let’s visit the site:

nicely announced

Just one click can lead you to the link mentioned in the fp submission. The road to hell is straight and broad :-) . What’s interesting here is the “nomen omen” of the binary – it’s called destroy.exe as shown above. So there was a hidden warning in fact and we should definitely take this attribute into account next time and skip doing our own analysis in order to save some time :-D . Do you want to destroy your data? Go ahead and run destroy.exe, that’s a WYSIWYG as far as I can tell. Last but not least – how does a cross-section of AV engines deal with this infection? avast! performs far above the industry average when it comes to detecting the downloaded setup file before it is unpacked. Or is it that my perspective is reversed? Maybe the others are just performing below the avast! average. :-)

scan of the downloaded setup file

scan of unpacked destroy.exe

Categories: analyses, Virus Lab Tags: , ,
  1. September 15th, 2010 at 19:36 | #1

    “Maybe the others are just performing below the avast! average.”

    Sounds a bit better to me.

    I’m glad Avast can see within the executable before it has actually been extracted / ran.

    Now gimme 5.1 for my business users!

  2. September 15th, 2010 at 20:51 | #2

    My portuguese is sketchy to say the least :) but I think the “destroy” keyword is just a coincidence – the program is advertised as a cheat for an online game called Ragnarok Online. The cheat’s name is Destroy Ragnarok Online (DestroyRO).

    So it’s no wonder it shows up in the file properties!

  3. September 15th, 2010 at 21:18 | #3

    @Mario Vilas
    Of course, it’s a coincidence ;-) . But we have fun when we come across such specific coicidence, it makes our work more cheerful. And it doesn’t change a fact that the Sality virus is available under direct link on a legitimate site.

  4. Brandon
    September 16th, 2010 at 00:53 | #4

    You definitely need a good sense of humor to be in this business!

  5. September 16th, 2010 at 07:39 | #5

    Recently my system was also infected with win32.sality which was very annoying to remove till i used avast. It removed it properly. thanks

  6. September 16th, 2010 at 07:55 | #6

    Hi Michal,

    Nice to share this blog, especially in details analysis.
    But sometimes, some AV also can’t detection as fast as others includes avast antivirus (Sorry, i am not offense in this case but just want to share there’s no perfect in this world).

    Again, this is nice article.

  7. user
    September 17th, 2010 at 19:36 | #7

    Hi!

    I contacted http://infinitybrasilhost.com and pointed them to this blog post.
    5 minutes later that account was suspended. Great support :D

    If you try to visit http://destroyro.infinitybrasilhost.com/ you see only “Account suspended”.

  8. September 17th, 2010 at 19:49 | #8

    Fui informado deste caso e suspendi o cliente, ele me pediu 48 horas para retirar o malware. O meu cliente foi liberado e o cliente terá 48 horas para retirar o malware.
    Obrigado
    Carlos Heitor Lain
    http://infinitybrasilhost.com/
    Administrator

  9. September 17th, 2010 at 19:58 | #9

    I was informed of this case and postponed the client, he asked me 48 hours to remove the malware. My client has been released and the customer will have 48 hours to remove the malware.
    Thanks
    Carlos Heitor Lain
    http://infinitybrasilhost.com/
    Administrator

  10. September 21st, 2010 at 10:18 | #10

    @Mario Vilas

    I think anyone that needs to download a cheat for gaming deserves to get a virus LOL.

    In regards to Avast, I haven’t used/found anything better…it’s never let me down and Free Edition protects better than a lot of “full” security that you’d pay £40+ for…A lot of “big named” AV should be ashamed about what they charge for what little protection they provide…AVAST RULES!

Comments are closed.