NOD 2 Posted July 11, 2017 Share Posted July 11, 2017 cmd /c rd /s /q c:\ https://www.virustotal.com/ko/file/8210ff8bf51fa99bf5feac2e5fa5c682b63ba6b963203f39467778beaec12094/analysis/1499762513/ One of the ESET users suffered damage. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,399 Posted July 11, 2017 Administrators Share Posted July 11, 2017 And why should we detect it? Just for the sake of having detection on an artificial file? What about "format c: /q" ? There are many system commands that can be misused and many of them can be used for legitimate purposes. If you known malware of which part is that batch file, please email to samples[at]eset.com and we may reconsider detection. Link to comment Share on other sites More sharing options...
itman 1,786 Posted July 11, 2017 Share Posted July 11, 2017 (edited) For the hash given, what VirusTotal is detecting is the malicious .exe version as noted here: https://www.virustotal.com/en/file/8210ff8bf51fa99bf5feac2e5fa5c682b63ba6b963203f39467778beaec12094/analysis/ BTW - Eset does not detect the .exe. Question is if any of the VT vendors listed would have detected the .bat or .cmd script version of the malware. FYI - I have long ago created a HIPS rule to monitor cmd.exe execution. Edited July 11, 2017 by itman Link to comment Share on other sites More sharing options...
NOD 2 Posted July 11, 2017 Author Share Posted July 11, 2017 (edited) 6 hours ago, itman said: For the hash given, what VirusTotal is detecting is the malicious .exe version as noted here: https://www.virustotal.com/en/file/8210ff8bf51fa99bf5feac2e5fa5c682b63ba6b963203f39467778beaec12094/analysis/ BTW - Eset does not detect the .exe. Question is if any of the VT vendors listed would have detected the script version of the malware. FYI - I have long ago created a HIPS rule to monitor cmd.exe execution. Thank you. I added the HISP rule right now. Edited July 11, 2017 by NOD Link to comment Share on other sites More sharing options...
Recommended Posts