Descloix 0 Posted September 26, 2019 Share Posted September 26, 2019 Tell me please when file "Documento.exe" will be detected as a virus. Kaspersky, Microsoft, McAfee a day ago they gave a detection. And many more antiviruses recognized the Trojan in it. This is a real Trojan. ESET is silent when unpacking a file. Norton delete immediately this file. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,235 Posted September 26, 2019 Administrators Share Posted September 26, 2019 Blacklisted more than 2 hours before you made the post (4:28 AM) round that time (2:20 AM) the detection was included in a streamed update: adelantado.dll - a variant of Win32/Injector.EHZT trojan Below is the evolution of detection. The start of the X axis is yesterday 20:06 CET, the end is today 5:44. Only detections at the start and end are known, the evolution in between is not. We can only tell that ESET has protected you since cca 2:20-2:30 AM, not taking into account features like AMS that might have detected it upon execution. On modern Windows systems (Windows 8.1, Windows 10), thanks to AMSI even users with outdated modules were protected as you can see in the test below. EnjoyBoast 1 Link to comment Share on other sites More sharing options...
Descloix 0 Posted September 26, 2019 Author Share Posted September 26, 2019 Once again. https://imageban.ru/show/2019/09/26/e137d33ae8e08e0aedcb3e5a9327e298/png Again Microsoft, McAfee, AVG, Avast, Sophos, Fortinet - W32/Generic.AC.4231A6, McAfee - Artemis!BDF54634DDA8, Microsoft - Trojan:Win32/FuerboosC!cl Shame not to include files in extensions .exe Link to comment Share on other sites More sharing options...
Descloix 0 Posted September 26, 2019 Author Share Posted September 26, 2019 adelantado.dll - a variant of Win32 / Injector.EHZT trojan was inside the archive along with other files that were in different directories and even in the registry. the virus was in file "Documento.exe" - he infected memory and changed registry keys, he was in directories Roaming, Temp, Windows > Tasks, Roaming > Microsoft > Cripto. That is why he infected the computer's memory and files from various directories. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,235 Posted September 26, 2019 Administrators Share Posted September 26, 2019 34 minutes ago, Descloix said: Once again. https://imageban.ru/show/2019/09/26/e137d33ae8e08e0aedcb3e5a9327e298/png Again Microsoft, McAfee, AVG, Avast, Sophos, Fortinet - W32/Generic.AC.4231A6, McAfee - Artemis!BDF54634DDA8, Microsoft - Trojan:Win32/FuerboosC!cl Shame not to include files in extensions .exe The file is an activator. Should not be detected as malware but as a hacktool application at most. Those who detect it as malware are wrong. We're not going to detect it for now since we are antimalware and not anti-cracking sw. notimportant and EnjoyBoast 2 Link to comment Share on other sites More sharing options...
Administrators Marcos 5,235 Posted September 26, 2019 Administrators Share Posted September 26, 2019 1 hour ago, Descloix said: adelantado.dll - a variant of Win32 / Injector.EHZT trojan was inside the archive along with other files that were in different directories and even in the registry. the virus was in file "Documento.exe" - he infected memory and changed registry keys, he was in directories Roaming, Temp, Windows > Tasks, Roaming > Microsoft > Cripto. That is why he infected the computer's memory and files from various directories. As long as the dll was recognized, the whole exe would be detected. Maybe you ran it before the detection was added at ~`2:20, maybe you have an older product that doesn't support streamed updates, maybe you had LiveGrid not working... The case and your cfg would need to be investigated in order to tell. What can we say 100% that after 2:10-2:30 users with streamed updates and LG enabled and working were 100% protected. This is how the detection would have looked like at that time: Log Scanned disks, folders and files: C:\test2\documento.exe C:\test2\documento.exe - Suspicious Object Number of scanned objects: 1 Number of detections: 1 And here is how ESET reacted with 2-month old modules: The malware was executed. When the injection itself was performed, AMSI scanner detected a malicious script... Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here 7/28/2019 4:06:06 PM;AMSI scanner;file;script;MSIL/Bladabindi.BC trojan;blocked;DESKTOP-5JIJ6V4\Admin;;AB122C106AC5DFA34C8168069E847F7F6DDDF550; And the malicious process was terminated: AMSI has been supported since Windows 8.1 so on older systems it's possible that the malware would have run with outdated modules. notimportant and EnjoyBoast 2 Link to comment Share on other sites More sharing options...
Descloix 0 Posted September 28, 2019 Author Share Posted September 28, 2019 You must be ashamed. I will send a copy of the black screen to office ESET but asking me to pay for decrypting my computer files. This happened after launch DOCUMENTO.EXE (documento.exe) This virus completely destroyed all the disks on the computer. All information was encrypted. And for the decryption they asked for 734 dollars. Tomorrow I will remove ESET from my computer and install an antivirus that is looking for something in file firefox.exe, nightly.exe, and opera installer. I will put an antivirus with a powerful cloud service, which will remove or place any suspicious file in the sandbox. Kaspersky, Norton, Malwarebytes, Zemana, Link to comment Share on other sites More sharing options...
Descloix 0 Posted September 28, 2019 Author Share Posted September 28, 2019 On 9/26/2019 at 9:34 AM, Marcos said: As long as the dll was recognized, the whole exe would be detected. Maybe you ran it before the detection was added at ~`2:20, maybe you have an older product that doesn't support streamed updates, maybe you had LiveGrid not working... The case and your cfg would need to be investigated in order to tell. What can we say 100% that after 2:10-2:30 users with streamed updates and LG enabled and working were 100% protected. This is how the detection would have looked like at that time: Log Scanned disks, folders and files: C:\test2\documento.exe C:\test2\documento.exe - Suspicious Object Number of scanned objects: 1 Number of detections: 1 And here is how ESET reacted with 2-month old modules: The malware was executed. When the injection itself was performed, AMSI scanner detected a malicious script... Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here 7/28/2019 4:06:06 PM;AMSI scanner;file;script;MSIL/Bladabindi.BC trojan;blocked;DESKTOP-5JIJ6V4\Admin;;AB122C106AC5DFA34C8168069E847F7F6DDDF550; And the malicious process was terminated: AMSI has been supported since Windows 8.1 so on older systems it's possible that the malware would have run with outdated modules. Link to comment Share on other sites More sharing options...
Descloix 0 Posted September 28, 2019 Author Share Posted September 28, 2019 (edited) Let someone run the file documento.exe on their computer, and honestly write what happened. documento.exe - not Suspicious Objekt, this is totally Trojan.Ransom. I am absolutely sure that this cipher, to extort money from ignorant people. And the business version of the antivirus did not see it.It’s just a huge shame for the reputation of the company that puts advertising banners in Germany at the Bundesliga matches. Specifically - at the matches of Borussia Dortmund. BitDefender Edited September 28, 2019 by Descloix Link to comment Share on other sites More sharing options...
Administrators Marcos 5,235 Posted September 28, 2019 Administrators Share Posted September 28, 2019 Since you continue ranting and personally attacking moderators which is against the forum rules and ignore the proof above that ESET protected our users even with outdated modules unlike many other AV vendors, we'll have to take an action. EnjoyBoast 1 Link to comment Share on other sites More sharing options...
Recommended Posts