Michal Krejdl

15 September 2010

Accurate file names

It is always nice when we know what a file does, where it comes from, etc. Most of the time spent on deeper file (samples) analysis goes to uncovering this information. But, sometimes we don't have to try when everything is obvious like in this case:

Sality is a file infector, quite "popular" in the last few years and here it seems to reside under a direct download link. Let's visit the site:

Just one click can lead you to the link mentioned in the fp submission. The road to hell is straight and broad :-). What's interesting here is the "nomen omen" of the binary - it's called destroy.exe as shown above. So there was a hidden warning in fact and we should definitely take this attribute into account next time and skip doing our own analysis in order to save some time :-D. Do you want to destroy your data? Go ahead and run destroy.exe, that's a WYSIWYG as far as I can tell. Last but not least - how does a cross-section of AV engines deal with this infection? avast! performs far above the industry average when it comes to detecting the downloaded setup file before it is unpacked. Or is it that my perspective is reversed? Maybe the others are just performing below the avast! average. :-)

Threat Research, Security News, SMB/Business