Hi Al, thank you for your reply, there it is.
https://www.virustotal.com/#/file/5005acda657bc9b612ce4b7a2369856c737f39855d4923c03289915acdc17075/detection and another sample (looking at it in IDA, it seems that it adds random garbage at the end) https://www.virustotal.com/#/file/2fbfb38768270ccaf041b2a6152f11f2696cd467642fed9f2c4a97f30906baf1/detection It’s some variant of the usual stuff that infects USB keys, of the “move everything under an invisible directory and add a link to it that starts the virus” variety. The .lnk points to |c:\Windows\system32 cmd.exe /c start rundll32 (invisible directory name)\ebdbaaedddeeadfbcccfdcacfddcccddbaecbda.ebdbaaedddeeadfbcccfdcacfddcccddbaecbda,NEdcBKdCBWDCwvWb!%SystemRoot%\system32\SHELL32.dll | (where |ebdbaaedddeeadfbcccfdcacfddcccddbaecbda.ebdbaaedddeeadfbcccfdcacfddcccddbaecbda| is the particular name the virus dll got renamed to in this instance, and |NEdcBKdCBWDCwvWb| its rundll-conforming entrypoint; they both change at each infection) This starts the malware itself which infects the machine, and then starts Windows Explorer on the invisible folder (so the user is shown his files). Didn’t really look in what else it does to the machine; surely it gets infected to spread the virus, as putting another USB key into the infected machine did infect it as well. Matteo Il 11/12/2017 10:12, Al Varnell ha scritto: > While you are waiting for an answer, upload it to VirusTotal and return here > with a link to the analysis > <https://www.virustotal.com/#/home/upload>, they can pick it up from there if > necessary. > > -Al- > > On Mon, Dec 11, 2017 at 12:48 AM, Matteo Italia wrote: >> Hello, >> >> I'm trying to submit a virus sample through the web interface >> (https://www.clamav.net/reports/malware), but it keeps getting refused >> by CloudFlare. I tried several variations of the message text, putting >> the virus sample in various archives (not archived, .tar.gz, .7z with >> password), but CloudFlare keeps telling me I'm blocked. What should I do? >> >> Matteo >> >> >> _______________________________________________ >> clamav-users mailing list >> clamav-users@lists.clamav.net >> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >> >> >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
