Malware on wadhost?

http://wadhost.fathax.com/files/ stctfmp.zip
seems to be carrying some packed/crypted form of malware. It has an extension of .wad.exe and the file size is totally wrong as the real stctfmp has a file size of 2.95 MB. I emailed the admin of the site, but I'm just posting here as a headsup, just in case.

Scan results are inconclusive with only three scanners pegging it as malware and they can't agree on its name. I'm suprised it's gone unnoticed for almost a year.

VirSCAN.org Scanned Report :
Scanned time   : 2010/07/12 20:07:15 (EST)
Scanner results: 8% Scanner(s) (3/36) found malware!
File Name      : stctfmp.wad.exe
File Size      : 32768 byte
File Type      : PE32 executable for MS Windows (console) Intel 80386 32-bit
MD5            : 572e43d842115c75f43add4d12c37dcc
SHA1           : 4c3f88704d6b163539b568e6b6a484562653f53c
Online report  : http://virscan.org/report/eaaefa191c48d00e5372c4443b857682.html

Scanner        Engine Ver      Sig Ver           Sig Date    Time   Scan result
a-squared      5.0.0.13        20100710031939    2010-07-10  5.23   -
AhnLab V3      2010.07.10.00   2010.07.10        2010-07-10  1.61   Dropper/Xema.22528.AK
AntiVir        8.2.4.10        7.10.9.57         2010-07-11  0.27   TR/Crypt.CFI.Gen
Antiy          2.0.18          20100704.4829244  2010-07-04  0.02   -
Arcavir        2009            201006281601      2010-06-28  0.00   -
Authentium     5.1.1           201007111701      2010-07-11  1.78   -
AVAST!         4.7.4           100711-1          2010-07-11  0.01   -
AVG            8.5.793         271.1.1/2997      2010-07-12  0.96   -
BitDefender    7.90123.6493190 7.32754           2010-07-12  4.01   Gen:Trojan.Heur.cmGfrnPMdWha1
ClamAV         0.96.1          11327             2010-07-06  0.00   -
Comodo         4.0             5399              2010-07-12  1.57   -
CP Secure      1.3.0.5         2010.07.12        2010-07-12  0.05   -
Dr.Web         5.0.2.3300      2010.07.12        2010-07-12  9.18   -
F-Prot         4.4.4.56        20100711          2010-07-11  1.85   -
F-Secure       7.02.73807      2010.07.12.02     2010-07-12  0.62   -
Fortinet       4.1.143         12.145            2010-07-11  0.23   -
GData          21.500/21.183   20100712          2010-07-12  7.60   -
ViRobot        20100710        2010.07.10        2010-07-10  0.38   -
Ikarus         T3.1.01.84      2010.07.12.76243  2010-07-12  7.12   -
JiangMin       13.0.900        2010.07.12        2010-07-12  1.36   -
Kaspersky      5.5.10          2010.07.11        2010-07-11  0.19   -
KingSoft       2009.2.5.15     2010.7.12.16      2010-07-12  0.81   -
McAfee         5400.1158       6040              2010-07-11  18.56  -
Microsoft      1.5902          2010.07.12        2010-07-12  7.34   -
Norman         6.05.11         6.05.00           2010-07-11  6.01   -
Panda          9.05.01         2010.07.11        2010-07-11  2.57   -
Trend Micro    9.120-1004      7.302.04          2010-07-12  0.21   -
Quick Heal     11.00           2010.07.12        2010-07-12  2.13   -
Rising         20.0            22.56.00.03       2010-07-12  1.66   -
Sophos         3.09.0          4.55              2010-07-12  3.89   -
Sunbelt        3.9.2428.2      6566              2010-07-09  1.18   -
Symantec       1.3.0.24        20100711.002      2010-07-11  0.50   -
nProtect       20100711.01     9040494           2010-07-11  10.11  -
The Hacker     6.5.2.1         v00312            2010-07-11  0.34   -
VBA32          3.12.12.6       20100710.2122     2010-07-10  2.83   -
VirusBuster    4.5.11.10       10.127.1/2023590  2010-07-12  2.42   -

Well, stctfmp is a virus because it infected everyone at ZDaemon, spread from there and infected everyone at Skulltag too :P

What is an .exe doing on wadhost in the first place?

The Ultimate DooMer said:

Well, stctfmp is a virus because it infected everyone at ZDaemon, spread from there and infected everyone at Skulltag too :P

Natural selection, huh?

GreyGhost said:

Scan results are inconclusive with only three scanners pegging it as malware and they can't agree on its name. I'm suprised it's gone unnoticed for almost a year.

Inconclusive results don't mean anything. I can take the most common of malware and make it fully undetectable under the right circumstances. I once submitted a pretty nasty rootkit/adware combo on virus total and only one av detected it. Also, many in the wild nasties can be unknown for months.

Update:
The archive in question has been deleted.

Spleen said:

What is an .exe doing on wadhost in the first place?

Because the site only checks to make sure uploaded files are in .zip format. It doesn't check the contents. Thanks for pointing all this out, Sonikku7. I informed the ZDaemon community to be on the watch a bit for any more suspicious files, since we use wadhost.fathax.com quite a bit.

boris said:
Natural selection, huh?

Your comment proves natural selection isn't working very well.

Slight bump, but there are further developments on this topic. From the sounds of it, Achtung is implementing a virus scanner, and some additional features, so the repository should be a bit safer to use now. Also added was a way to mark files for removal.