Monday, March 16, 2009

KGB File Compressor - MALWARE

"KGBCompresor - 1GB into 10MB + Hacked Firefox-30% speed more" .... yea, it's malware

DO NOT DOWNLOAD
_http://darapid.com/downloadx/kgbcompresor-1gb-into-10mb-hacked-firefox-30-speed-more.html
DO NOT DOWNLOAD

I hate these
fake free tools you can download on the 'net. The latest I've come across is the KGB Compressor tool, which touts that it can squeeze 1Gb into a 10Mb pack... right. The crazy part is that when you download it there are 2 MP3s in the bunch, I can only imagine what those are trojaned with...

Passing the binary through VirusTotal nets the following results:

File kgb_archiver_.rar received on 03.16.2009 06:07:40 (CET)
AntivirusVersionLast UpdateResult
a-squared4.0.0.1012009.03.16-
AhnLab-V35.0.0.22009.03.16-
AntiVir7.9.0.1142009.03.15-
Authentium5.1.0.42009.03.15-
Avast4.8.1335.02009.03.16-
AVG8.0.0.2372009.03.15-
BitDefender7.22009.03.16-
CAT-QuickHeal10.002009.03.16-
ClamAV0.94.12009.03.16-
Comodo10572009.03.15-
DrWeb4.44.0.091702009.03.16-
eSafe7.0.17.02009.03.15Win32.Constructor.sl
eTrust-Vet31.6.63882009.03.09-
F-Prot4.4.4.562009.03.15-
F-Secure8.0.14470.02009.03.16-
Fortinet3.117.0.02009.03.16-
GData192009.03.16-
IkarusT3.1.1.45.02009.03.16-
K7AntiVirus7.10.6712009.03.14Constructor.Win32.SlhBack
Kaspersky7.0.0.1252009.03.16-
McAfee55542009.03.15-
McAfee+Artemis55542009.03.15-
McAfee-GW-Edition6.7.62009.03.16-
Microsoft1.44052009.03.15-
NOD3239372009.03.15-
Norman6.00.062009.03.13-
nProtect2009.1.8.02009.03.16-
Panda10.0.0.102009.03.15-
PCTools4.4.2.02009.03.15-
Prevx1V22009.03.16-
Rising21.21.00.002009.03.16-
Sophos4.39.02009.03.16-
Sunbelt3.2.1858.22009.03.15-
Symantec1.4.4.122009.03.16-
TheHacker6.3.3.0.2822009.03.16-
TrendMicro8.700.0.10042009.03.16-
VBA323.12.10.12009.03.15-
ViRobot2009.3.16.16492009.03.16-
VirusBuster4.6.5.02009.03.15-

Spread the word... another FAKE utility out there...

3/16/09 @12:41pm CDT -- UPDATE
VirScan.org Results
Scanned the file with VirScan.org (per @mubix's recommendation)... found NOTHING.
http://virscan.org/report/53e7315a0b1661a97922f7e3eb9b6622.html

CWSandbox Analysis
Nothing that would jump out at me... obvious; interesting.
http://www.cwsandbox.org/?page=report&analysisid=1237679&password=jbmpa

2 comments:

Mubix said...

I've stopped believing in VirusTotal.com after not one picked up a non-encoded meterpreter reverse payload. Try Virscan.org as well as VT and compare. I'm also interested in the results of those MP3s.

Check out CWSandbox as well.

Mubix said...

On the CWSandbox reading, check out the new files it created, particularly "shfoldr.dll". Googling for that DLL leads to some interesting results. I would be interested in the contents of that file. Have you tried unpacking the setup file with something like Universal Extractor in a VM? You could probably pull just that DLL out and see if it pops.

Google+