Sonikku7 Posted July 12, 2010 http://wadhost.fathax.com/files/ stctfmp.zip seems to be carrying some packed/crypted form of malware. It has an extension of .wad.exe and the file size is totally wrong as the real stctfmp has a file size of 2.95 MB. I emailed the admin of the site, but I'm just posting here as a headsup, just in case. 0 Share this post Link to post
GreyGhost Posted July 12, 2010 Scan results are inconclusive with only three scanners pegging it as malware and they can't agree on its name. I'm suprised it's gone unnoticed for almost a year.VirSCAN.org Scanned Report : Scanned time : 2010/07/12 20:07:15 (EST) Scanner results: 8% Scanner(s) (3/36) found malware! File Name : stctfmp.wad.exe File Size : 32768 byte File Type : PE32 executable for MS Windows (console) Intel 80386 32-bit MD5 : 572e43d842115c75f43add4d12c37dcc SHA1 : 4c3f88704d6b163539b568e6b6a484562653f53c Online report : http://virscan.org/report/eaaefa191c48d00e5372c4443b857682.html Scanner Engine Ver Sig Ver Sig Date Time Scan result a-squared 5.0.0.13 20100710031939 2010-07-10 5.23 - AhnLab V3 2010.07.10.00 2010.07.10 2010-07-10 1.61 Dropper/Xema.22528.AK AntiVir 8.2.4.10 7.10.9.57 2010-07-11 0.27 TR/Crypt.CFI.Gen Antiy 2.0.18 20100704.4829244 2010-07-04 0.02 - Arcavir 2009 201006281601 2010-06-28 0.00 - Authentium 5.1.1 201007111701 2010-07-11 1.78 - AVAST! 4.7.4 100711-1 2010-07-11 0.01 - AVG 8.5.793 271.1.1/2997 2010-07-12 0.96 - BitDefender 7.90123.6493190 7.32754 2010-07-12 4.01 Gen:Trojan.Heur.cmGfrnPMdWha1 ClamAV 0.96.1 11327 2010-07-06 0.00 - Comodo 4.0 5399 2010-07-12 1.57 - CP Secure 1.3.0.5 2010.07.12 2010-07-12 0.05 - Dr.Web 5.0.2.3300 2010.07.12 2010-07-12 9.18 - F-Prot 4.4.4.56 20100711 2010-07-11 1.85 - F-Secure 7.02.73807 2010.07.12.02 2010-07-12 0.62 - Fortinet 4.1.143 12.145 2010-07-11 0.23 - GData 21.500/21.183 20100712 2010-07-12 7.60 - ViRobot 20100710 2010.07.10 2010-07-10 0.38 - Ikarus T3.1.01.84 2010.07.12.76243 2010-07-12 7.12 - JiangMin 13.0.900 2010.07.12 2010-07-12 1.36 - Kaspersky 5.5.10 2010.07.11 2010-07-11 0.19 - KingSoft 2009.2.5.15 2010.7.12.16 2010-07-12 0.81 - McAfee 5400.1158 6040 2010-07-11 18.56 - Microsoft 1.5902 2010.07.12 2010-07-12 7.34 - Norman 6.05.11 6.05.00 2010-07-11 6.01 - Panda 9.05.01 2010.07.11 2010-07-11 2.57 - Trend Micro 9.120-1004 7.302.04 2010-07-12 0.21 - Quick Heal 11.00 2010.07.12 2010-07-12 2.13 - Rising 20.0 22.56.00.03 2010-07-12 1.66 - Sophos 3.09.0 4.55 2010-07-12 3.89 - Sunbelt 3.9.2428.2 6566 2010-07-09 1.18 - Symantec 1.3.0.24 20100711.002 2010-07-11 0.50 - nProtect 20100711.01 9040494 2010-07-11 10.11 - The Hacker 6.5.2.1 v00312 2010-07-11 0.34 - VBA32 3.12.12.6 20100710.2122 2010-07-10 2.83 - VirusBuster 4.5.11.10 10.127.1/2023590 2010-07-12 2.42 - 0 Share this post Link to post
The Ultimate DooMer Posted July 12, 2010 Well, stctfmp is a virus because it infected everyone at ZDaemon, spread from there and infected everyone at Skulltag too :P 0 Share this post Link to post
Spleen Posted July 12, 2010 What is an .exe doing on wadhost in the first place? 0 Share this post Link to post
boris Posted July 12, 2010 The Ultimate DooMer said:Well, stctfmp is a virus because it infected everyone at ZDaemon, spread from there and infected everyone at Skulltag too :P Natural selection, huh? 0 Share this post Link to post
Sonikku7 Posted July 12, 2010 GreyGhost said:Scan results are inconclusive with only three scanners pegging it as malware and they can't agree on its name. I'm suprised it's gone unnoticed for almost a year. Inconclusive results don't mean anything. I can take the most common of malware and make it fully undetectable under the right circumstances. I once submitted a pretty nasty rootkit/adware combo on virus total and only one av detected it. Also, many in the wild nasties can be unknown for months. 0 Share this post Link to post
Sonikku7 Posted July 12, 2010 Update: The archive in question has been deleted. 0 Share this post Link to post
EarthQuake Posted July 12, 2010 Spleen said:What is an .exe doing on wadhost in the first place? Because the site only checks to make sure uploaded files are in .zip format. It doesn't check the contents. Thanks for pointing all this out, Sonikku7. I informed the ZDaemon community to be on the watch a bit for any more suspicious files, since we use wadhost.fathax.com quite a bit. 0 Share this post Link to post
myk Posted July 14, 2010 boris said: Natural selection, huh? Your comment proves natural selection isn't working very well. 0 Share this post Link to post
EarthQuake Posted July 23, 2010 Slight bump, but there are further developments on this topic. From the sounds of it, Achtung is implementing a virus scanner, and some additional features, so the repository should be a bit safer to use now. Also added was a way to mark files for removal. 0 Share this post Link to post