Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus


April 6th, 2012

Lazy Friday? Maybe next time

Some of you may think that Friday (especially the afternoon) is an informal prequel to the weekend relaxation. As such, it should be devoted to putting legs high up on the desk and drinking long drinks from a glass with a little umbrella. You know, no one wants to make some last-minute embroilment. But unfortunately, malware seems to never sleep. Due to that, Friday can provide us with interesting revelations.

Part one – there’s a new version of Morphex

Friday’s log of reported false positives contained this record:

Morphex report

The path is not typical for Morphex (it’s usually located under names similar to c:\older\sister.exe as I mentioned in previous articles), but all other characteristics match. It’s a BFFclient 1.11b (a toolkit for building autorun worms with botnet functionality) packed with Morphex and it’s certainly pretty fresh. In a VirusTotal table, a public service for the security community that shows comparative detections, it was only detected by one out of every five of the 40+ AV products:

Detection coverage

What does it modify on your system? It’s a well known story: inject svchost.exe -> turn autorun functionality on -> drop own autorun.inf and payload to all disk drives (especially removable ones to successfully spread itself) -> poison the registry with own references (SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman) -> go home and report a new victim. Definitely, something you don’t want to have and hold.

Part two – Ramnit strikes again

Who says you can’t teach an old dog new tricks? Ramnit authors have recently tried new ideas to hide their malicious activities and it partially works. One sample appeared today in our FP report, but it was not detected as Win32:Ramnit nor Win32:MalOb-FE, the usual detections:

Ramnit report

Fortunately MalOb-FE is not the only MalOb in the universe :-). The detection coverage here is proportional to the freshness of the sample, just like the first example shown above. Here the detection rate dropped to 14% between other AV products:

Detection coverage

What’s the behavior of this sample? It drops a really evil binary, that’s responsible for installation of a rootkit, communication library rmnsoft.dll and infecting many executable files on your system. It also sends and receives lots of data, thus your computer might get seriously compromised. Detection of this evil binary is a bit better at 46% , but it’s still nothing to celebrate:

Pure evil

Two interesting discoveries, don’t you think? Who said that Friday is the least productive day of week? :-)

Categories: analyses, Virus Lab Tags: , , ,
  • Tech

    Kredjl, last weekend we saw three avast! virus definitions update. Seems we are following the same rule of increasing malware activity on the weekends. Thanks for your extra work.

  • http://www.avast.com Michal Krejdl

    Don’t forget the streaming updates – they’re running during weekend as well ;-)