Some of you may think that Friday (especially the afternoon) is an informal prequel to the weekend relaxation. As such, it should be devoted to putting legs high up on the desk and drinking long drinks from a glass with a little umbrella. You know, no one wants to make some last-minute embroilment. But unfortunately, malware seems to never sleep. Due to that, Friday can provide us with interesting revelations.
Part one - there's a new version of Morphex
Friday's log of reported false positives contained this record:
The path is not typical for Morphex (it's usually located under names similar to c:\older\sister.exe as I mentioned in previous articles), but all other characteristics match. It's a BFFclient 1.11b (a toolkit for building autorun worms with botnet functionality) packed with Morphex and it's certainly pretty fresh. In a VirusTotal table, a public service for the security community that shows comparative detections, it was only detected by one out of every five of the 40+ AV products:
What does it modify on your system? It's a well known story: inject svchost.exe -> turn autorun functionality on -> drop own autorun.inf and payload to all disk drives (especially removable ones to successfully spread itself) -> poison the registry with own references (SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman) -> go home and report a new victim. Definitely, something you don't want to have and hold.
Part two - Ramnit strikes again
Who says you can't teach an old dog new tricks? Ramnit authors have recently tried new ideas to hide their malicious activities and it partially works. One sample appeared today in our FP report, but it was not detected as Win32:Ramnit nor Win32:MalOb-FE, the usual detections:
Fortunately MalOb-FE is not the only MalOb in the universe :-). The detection coverage here is proportional to the freshness of the sample, just like the first example shown above. Here the detection rate dropped to 14% between other AV products:
What's the behavior of this sample? It drops a really evil binary, that's responsible for installation of a rootkit, communication library rmnsoft.dll and infecting many executable files on your system. It also sends and receives lots of data, thus your computer might get seriously compromised. Detection of this evil binary is a bit better at 46% , but it's still nothing to celebrate:
Two interesting discoveries, don't you think? Who said that Friday is the least productive day of week? :-)