We come across a plenty of malware reports every day. Sometimes we have to deal with some special cases, where a respected vendor is involved. This time it was the Dell driver download site.
I don’t know what kind of curiosity leads people to the dark corners of the internet, when they want to obtain a new version of antivirus software. It’s somehow irrational to find security software at insecure places. But…. it happens.
As you can see, the file name is Avast_Antivirus_2012_Trial_Verion.exe – but it is definitely not a proper setup released by us. Here are some facts, that are worth remembering:
What a weird positive we’ve just spotted on CNET’s Download.com…
For those, who remember my article about the “immortal” virus: here’s a proof. LookMyPC is a software for remote support and similar tasks. It has an official web page with downloads, which is unfortunately a place, where you can meet Win32:Parite virus.
Don’t worry, we’re not gonna watch movies marked with an asterisk . However, from the malware analyst’s point of view, following lines might be somehow “spicy”. We’ll take a look at a suspected false positive promoted as a regular GameMaster setup. The file appeared in our FP submission system with an usual comment “it’s clean” or something like that, thus we can only guess that the file has not been obtained from official source.
Some of you may think that Friday (especially the afternoon) is an informal prequel to the weekend relaxation. As such, it should be devoted to putting legs high up on the desk and drinking long drinks from a glass with a little umbrella. You know, no one wants to make some last-minute embroilment. But unfortunately, malware seems to never sleep. Due to that, Friday can provide us with interesting revelations.
I’ve already seen many strange things inside malware packers, but there’s always something surprising. The latest time, it was during the analysis of packer used to wrap Zbot, LockScreen and similar binaries (detected under various MalOb-* [Cryp] names). There’s a block of allocated memory with a long list of names. But these names are not used for anything related to malware execution, they’re not visible to the user (unless you emulate/trace the sample), they have no special purpose. But why they are there? And where’s the Czech footprint?
Do you remember Mystic compressor and its “shouts” to the world, especially to Sunbelt guys? I hope so, but just in case – here’s one screenshot:
And now we’ve got a kind of response also from Morphex authors
Do you feel lonely for an older sister? Now getting one is easier than ever before! All you need is a pen drive and to follow a few easy steps.
- get your own USB flash drive
- plug it wherever you can (preferably use public stations)
- repeat the previous point 2. as often as possible and wait until your older sister is “born”
- finally – plug your flash drive to your PC/laptop
What will happen next?
Don’t worry, this article is not about baseball, something which I find boring (well, reading sporadic gossip from Virus Lab might be boring as well). We are talking about “unwise” people here. Frankly, I would like to use some harder adjective (unwise is a real euphemism), but it’s up to you to give them a proper name . So, let me show you the chain of events that resulted in these strikes — and let you make your own decision.