5 New threats  in this submission, though two is now being detected, but 3 remaining to be detected.

Norton at this Time not detect 222.exe , i do not know if Sonar2 detect this...After starting 222.exe NIS2010 is terminated immediately and out of service in my Virtual machine. 

Why this happens you can see in the ThreatExpert Log

http://www.threatexpert.com/report.aspx?md5=0dce38fa78e20e675d6904b98d0f0b8c

Insight says Reputation unknown. 

---

Voyager10 wrote:

222.exe  - [TRACKING]: Symantec Security Response Automation: Tracking #13068129

 

This is a AV-Killer , this  kills also NIS2010 in a Virtual Machine ! After running 222.exe NIS2010 no longer operational and functional, even after rebooting .

 

http://www.threatexpert.com/report.aspx?md5=0dce38fa78e20e675d6904b98d0f0b8c

 

29 Services stopped 

Kernel Rootkit

and many other Registry modifications...

 

http://www.virustotal.com/de/analisis/bf7e703f609a564e20811fc88f41c0af23822eadda608c678724e35a891af2...

Message Edited by Voyager10 on 10-04-2009 04:05 PM

So, Microsoft Security Essentials detects this, NIS 2010 gets killed by it. I guess this is what this blog post is all about.

i test now this File 222.exe again and again with the fresh started virtual machine , now every time the file was detected and deleted from Sonar2. Right now I can not say why the file has failed the "first test" and was able to infect the VM.

I can this Infection no-longer reproduce , the VM and the NIS settings are unchanged .

My presumption is , Quorum may recognize this file or action and notify this to Sonar2 ?

some new rogue program

Tracking #13071381

virustotal scan

I found it by this youtube video

---

SaLaDiN wrote:

some new rogue program

 

Tracking #13071381

 

 

virustotal scan

 

 

I found it by this youtube video

---

  I sent a file with the same filename yesterday, I just all it takes is to repack and rehash it and it falls under the radar again.

 

Tracking #13009156

We have analyzed your submission.  The following is a report of our findings for each file you have submitted:

filename:  Soft_71.exe

machine: Machine

result: This file is detected as Trojan Horse. http://www.symantec.com/avcenter/venc/data/trojan.horse.html

 

Customer notes:

Fake AV installer from hXXp://pc-scanner16.com/

 
Unfortunately Safe Web fails here totally, the crawler has been over both pages and has found nothing suspicious.

<<Edit: Active link to Website that contains malicious files is disabled>>

We look at this Risk Publication :

http://www.malwarebytes.org/forums/index.php?s=4b05ba661c55b45257141e22661d75dc&showtopic=26997

Yesterday this detected as Backdoor Trojan 

http://img29.imageshack.us/i/69652290.jpg/

Today no Detection and the DLL File and Malware-URL is Reputation Green.

http://img143.imageshack.us/i/74592587.jpg/

 My question is how long does it take for "Safe Web" blacklist the URL?

 It would be nice if once someone responds

Hi Voyager,

One of the main source of malicious URLs for Norton Safe Web is the Norton Community Watch feature. Typically, the URLs received from Norton Community Watch are analyzed and rated within an hour.

In this case, the Norton Safe Web analysis system was not able to detect the malicious behavior on the pc-scanner16 site. We are investigating into why it was not detected and what we can do address this gap.

Meanwhile, the website pc-scanner16 is down now. As we are not able to confirm the malicious behavior, we have changed the Norton Safe Web rating to grey.

regards

chandra