Took my own advice and had it force re-analyzed at VirusTotal. Kaspersky
picks up the Armadillo packager which was giving OneCare a hiccup when
OneCare was first released, but no detection from Microsoft this go round.
Since there are lots of detections, you could probably let it quarantine
since unless you're using the paid version with autoupdate so you wouldn't
use that executable anyway.
File sbautoupdate.exe received on 06.13.2008 03:26:40 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND
STOPPED
Result: 6/32 (18.75%)
Loading server information...
Your file is queued in position: 1.
Antivirus Version Last Update Result
AhnLab-V3 2008.6.13.0 2008.06.12 -
AntiVir 7.8.0.55 2008.06.12 -
Authentium 5.1.0.4 2008.06.12 -
Avast 4.8.1195.0 2008.06.12 -
AVG 7.5.0.516 2008.06.12 Dropper.Agent.IPC
BitDefender 7.2 2008.06.13 -
CAT-QuickHeal 9.50 2008.06.12 (Suspicious) - DNAScan
ClamAV 0.92.1 2008.06.12 -
DrWeb 4.44.0.09170 2008.06.12 -
eSafe 7.0.15.0 2008.06.12 -
eTrust-Vet 31.6.5870 2008.06.13 -
Ewido 4.0 2008.06.12 -
F-Prot 4.4.4.56 2008.06.12 -
F-Secure 6.70.13260.0 2008.06.12 W32/Malware
Fortinet 3.14.0.0 2008.06.12 -
GData 2.0.7306.1023 2008.06.13 -
Ikarus T3.1.1.26.0 2008.06.13 -
Kaspersky 7.0.0.125 2008.06.13 -
McAfee 5316 2008.06.12 -
Microsoft 1.3604 2008.06.13 -
NOD32v2 3182 2008.06.12 -
Norman 5.80.02 2008.06.12 W32/Malware
Panda 9.0.0.4 2008.06.12 Suspicious file
Prevx1 V2 2008.06.13 -
Rising 20.48.32.00 2008.06.12 -
Sophos 4.30.0 2008.06.13 -
Sunbelt 3.0.1145.1 2008.06.05 -
Symantec 10 2008.06.13 -
TheHacker 6.2.92.346 2008.06.12 -
VBA32 3.12.6.7 2008.06.12 -
VirusBuster 4.3.26:9 2008.06.12 -
Webwasher-Gateway 6.6.2 2008.06.12 Virus.Win32.FileInfector.gen!94
(suspicious)
Additional information
File size: 906792 bytes
MD5...: 5d0e5821eb35cda9c320c1bdf1a4b695
SHA1..: 62b09b3503c05a3cc853bb8bdfcc8292fd200e53
SHA256:
180ece47a119f3dd9f326db499efda2754d8b7dd0a0f6d2e39056f1279f2e9b3
SHA512:
3fc276cabf3423c18597d17eac56caff91997265228fa5911e23568de0646a02
bf87d9cbeb80ce97f0279a83497faf41a3adf7e9c647cfdff9440c94b84a3aa1
PEiD..: -
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x4b22a2
timedatestamp.....: 0x484f34cd (Wed Jun 11 02:13:33 2008)
machinetype.......: 0x14c (I386)
( 7 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x73d9c 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.data 0x75000 0x47a4 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.text1 0x7a000 0x50000 0x42000 6.43 5f5d36467069a9dfd292a8ad02089509
.adata 0xca000 0x10000 0xd000 0.00 938d6d97628275a512e07c66be5ccecf
.data1 0xda000 0x20000 0xb000 3.74 29c52db44c2d4ccc06650ba03bf8f3cf
.pdata 0xfa000 0x80000 0x7a000 7.99 2e99ba169be4ee78b8a03d3fe4170575
.rsrc 0x17a000 0x7000 0x7000 4.99 f3eb782f672007721aa8ebf9145802fa
( 3 imports )
KERNEL32.dll: CreateThread, GlobalUnlock, GlobalLock, GlobalAlloc,
GetTickCount, WideCharToMultiByte, IsBadReadPtr, GlobalAddAtomA,
GlobalAddAtomW, GetModuleHandleA, GlobalFree, GlobalGetAtomNameA,
GlobalDeleteAtom, GlobalGetAtomNameW, FreeConsole, GetEnvironmentVariableA,
VirtualProtect, VirtualAlloc, GetProcAddress, GetLastError, LoadLibraryA,
SetLastError, SetThreadPriority, GetCurrentThread, CreateProcessA,
GetCommandLineA, GetStartupInfoA, SetEnvironmentVariableA, ReleaseMutex,
WaitForSingleObject, CreateMutexA, OpenMutexA, GetCurrentThreadId,
CreateFileA, FindClose, FindFirstFileA, FindFirstFileW, VirtualQueryEx,
GetExitCodeProcess, ReadProcessMemory, UnmapViewOfFile, ContinueDebugEvent,
SetThreadContext, GetThreadContext, WaitForDebugEvent, SuspendThread,
DebugActiveProcess, ResumeThread, CreateProcessW, GetCommandLineW,
GetStartupInfoW, CloseHandle, DuplicateHandle, GetCurrentProcess,
CreateFileMappingA, VirtualProtectEx, WriteProcessMemory, ExitProcess,
FlushFileBuffers, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA,
SetStdHandle, GetConsoleMode, GetConsoleCP, SetFilePointer, GetLocaleInfoA,
GetStringTypeW, GetStringTypeA, LCMapStringW, MultiByteToWideChar,
LCMapStringA, HeapSize, HeapReAlloc, QueryPerformanceCounter, VirtualFree,
HeapCreate, HeapDestroy, GetFileType, SetHandleCount,
GetEnvironmentStringsW, FreeEnvironmentStringsW, GetEnvironmentStrings,
FreeEnvironmentStringsA, RtlUnwind, DeleteCriticalSection, GetStdHandle,
WriteFile, TlsFree, TlsSetValue, TlsAlloc, TlsGetValue, Sleep,
EnterCriticalSection, LeaveCriticalSection, GetVersionExA,
InitializeCriticalSection, GetCurrentProcessId, GetModuleFileNameW,
GetShortPathNameW, GetModuleFileNameA, MapViewOfFile, GetShortPathNameA,
GetSystemTimeAsFileTime, HeapFree, HeapAlloc, GetProcessHeap,
RaiseException, TerminateProcess, UnhandledExceptionFilter,
SetUnhandledExceptionFilter, IsDebuggerPresent, GetCPInfo,
InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP,
IsValidCodePage
USER32.dll: GetDesktopWindow, MoveWindow, SetPropA,
EnumThreadWindows, GetPropA, GetMessageA, GetSystemMetrics, SetTimer,
GetAsyncKeyState, KillTimer, BeginPaint, EndPaint, SetWindowTextA,
GetDlgItem, CreateDialogIndirectParamA, ShowWindow, UpdateWindow,
LoadStringA, LoadStringW, FindWindowA, WaitForInputIdle, MessageBoxA,
InSendMessage, UnpackDDElParam, FreeDDElParam, DefWindowProcA, LoadCursorA,
RegisterClassW, CreateWindowExW, RegisterClassA, CreateWindowExA,
GetWindowThreadProcessId, SendMessageW, SendMessageA, PeekMessageA,
TranslateMessage, DispatchMessageA, EnumWindows, IsWindowUnicode,
PackDDElParam, PostMessageW, PostMessageA, IsWindow, DestroyWindow
GDI32.dll: CreateDCA, CreateDIBitmap, CreateCompatibleDC,
SelectObject, SelectPalette, RealizePalette, BitBlt, DeleteDC,
DeleteObject, CreatePalette
( 0 exports )
Norman Sandbox: [ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: (e-mail address removed) -
REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* File length: 906792 bytes.
[ Process/window information ]
* Creates process \"sample.exe\".
* Reads memory in process sample.exe.
* Modifies memory in process sample.exe.
* Modifies startup code of process sample.exe.
packers (Kaspersky): Armadillo
)