c_285tz.nls

holifay · **Inviato:** lun 10 lug, 2006 12:59 pm

File inviato in data 10/07/2006

Viene richiamato dalla APPInit_DLLs, nascosto negli Alternate Data Streams di C:/windows/system32.

Una volta caricato:
- nasconde se stesso alle API di Windows
- nasconde l´oggetto della chiave APPInit_DLLs
- nasconde i seguenti file (nomi random) in C:/windows:

Cita:

C:/WINDOWS/watca1.upd
C:/WINDOWS/watca1.dll

Riferimenti: http://www.suspectfile.com/forum/viewtopic.php?t=129

E´ collegato all´adware LINKOPTIMIZER.

Dimensioni: 141551 bytes
MD5: 87dc76545f4864bf0ee3f251f73e50b5
SHA1: e98c1617ec003f7db52366c12309b050e55eabb

In data odierna è riconosciuto dai seguenti programmi:

Cita:

//////////////// -----------> (AntiVir)
//////////////// -----------> (Authentium)
//////////////// -----------> (Avast)
//////////////// -----------> (AVG)
//////////////// -----------> (BitDefender)
//////////////// -----------> (CAT-QuickHeal)
//////////////// -----------> (ClamAV)
//////////////// -----------> (DrWeb)
//////////////// -----------> (eTrust-InoculateIT)
//////////////// -----------> (eTrust-Vet)
//////////////// -----------> (Ewido)
//////////////// -----------> (Fortinet)
//////////////// -----------> (F-Prot)
//////////////// -----------> (F-Prot4)
//////////////// -----------> (Ikarus)
//////////////// -----------> (Kaspersky)
//////////////// -----------> (McAfee)
//////////////// -----------> (Microsoft)
//////////////// -----------> (NOD32v2)
//////////////// -----------> (Norman)
//////////////// -----------> (Panda)
//////////////// -----------> (Sophos)
//////////////// -----------> (Symantec)
//////////////// -----------> (TheHacker)
//////////////// -----------> (UNA)
//////////////// -----------> (VirusBuster)
suspected of Malware.Agent.16 -----------> (VBA32)

holifay · **Inviato:** mar 11 lug, 2006 10:14 am

La risposta di CA

Cita:

The Windows PE (I386,DLL) file c_285tz.nls has been determined to be malicious. This file appears to be a malware component. A malware
component is a file that may be used by particular malware, but cannot
behave maliciously by itself.

CA antivirus products address this malware as follows:
------------------------------------------------------
eTrust Antivirus 6.x/v7 (Vet Engine and InoculateIT Engine)
Detection is currently unavailable for this file as it has been
determined to be unable to behave maliciously by itself. We will
inform you by email should we decide to update signatures for this
file.

Ulteriore risposta di CA (12 luglio)

Cita:

This is to notify you of the results of your submission, issue number
772876. Please keep this issue number for future reference.

With regards to the file c_285tz.nls submitted by you on 11 Jul
01:22:15 (Australian Eastern Standard Time), we have added detection
for Win32/SillyDL.4jma!DLL!Trojan to the signature files for the
InoculateIT engine.

The Windows PE (I386,DLL) file c_285tz.nls has been determined to be
malicious. This file appears to be a malware component. A malware
component is a file that may be used by particular malware, but cannot
behave maliciously by itself.

CA antivirus products address this malware as follows:
------------------------------------------------------
eTrust Antivirus 6.x/v7 (Vet Engine)
Detection is currently unavailable for this file as it has been
determined to be unable to behave maliciously by itself. We will
inform you by email should we decide to update signatures for this
file.

eTrust Antivirus 6.x/v7 (InoculateIT Engine)
Engine Update version Last Update
23.72.0 23.72.66 12 Jul
Please check for the latest signature updates.

holifay · **Inviato:** mar 11 lug, 2006 10:19 am

la risposta di Panda

Cita:

Dear customer:

We are enclosing a link to the updated signature file. This file has been created in order to detect and disinfect your malware. We will shortly make available to all our customers the new certified signature file, which will be accessible through the automatic updates.

The file c_285tz.nls belongs to the trojan Trj/Agent.CKH, due to the nature of the file, it can only be deleted.

Best regards,

PandaLabs

Panda Software
Buenos Aires 12
48001 BILBAO - SPAIN

holifay · **Inviato:** mar 11 lug, 2006 11:36 am

La risposta di Kaspersky:

Cita:

Hello
All clean

holifay · **Inviato:** mer 12 lug, 2006 9:21 am

La risposta di Drweb

Cita:

Your request has been analyzed. New virus record has been added.
Trojan.Bong

holifay · **Inviato:** mer 12 lug, 2006 10:23 am

La risposta di McAfee

Cita:

AVERT Labs - Beaverton
Analysis ID: 2444684
Identified: Generic.f

Thank you for your submission. Attached is a file for extra detection, which will be included in a future
DAT set. We have detected a virus or trojan that can only be detected and removed. The file received contains a new virus or trojan

holifay · **Inviato:** mer 12 lug, 2006 11:15 am

La risposta di AVIRA

Cita:

Dear Sir or Madam,

Thank you for your recent inquiry. We found a new virus in the attachment you have sent us. The signature will be integrated in one of our next updates.
The signature of the virus will be detected as TR/Agent.CKH.

We thank you for your assistance.
--
Freundliche Gruesse / Best regards
Avira GmbH

holifay · **Inviato:** ven 14 lug, 2006 11:57 am

La risposta di Symantec

Cita:

c_285tz.nls
This sample has been analyzed by a variety of automated means and was
not immediately identified as malicious. This file may be passed to an
engineer for further inspection. Thank you for your submission.

c_285tz.nls

Chi c’è in linea