Jump to content
Descloix

Virus not detected

Recommended Posts

Tell me please when file "Documento.exe"  will be detected as a virus.

Kaspersky, Microsoft, McAfee a day ago they gave a detection. And many more antiviruses recognized the Trojan in it.

This is a real Trojan.

ESET  is silent when unpacking a file. Norton delete immediately this file. 

Share this post


Link to post
Share on other sites

Blacklisted more than 2 hours before you made the post (4:28 AM) round that time (2:20 AM) the detection was included in a streamed update:

adelantado.dll - a variant of Win32/Injector.EHZT trojan

image.png

Below is the evolution of detection. The start of the X axis is yesterday 20:06 CET, the end is today 5:44. Only detections at the start and end are known, the evolution in between is not. We can only tell that ESET has protected you since cca 2:20-2:30 AM, not taking into account features like AMS that might have detected it upon execution. On modern Windows systems (Windows 8.1, Windows 10), thanks to AMSI even users with outdated modules were protected as you can see in the test below.

image.png

Share this post


Link to post
Share on other sites

adelantado.dll - a variant of Win32 / Injector.EHZT trojan was inside the archive along with other files that were in different directories and even in the registry. the virus was in file  "Documento.exe" - he infected memory and changed registry keys, he was in directories Roaming, Temp, Windows > Tasks, Roaming > Microsoft > Cripto.   That is why he infected the computer's memory and files from various directories. 

 

Share this post


Link to post
Share on other sites
34 minutes ago, Descloix said:

Once again.

https://imageban.ru/show/2019/09/26/e137d33ae8e08e0aedcb3e5a9327e298/png

Again Microsoft, McAfee, AVG, Avast, Sophos, Fortinet - W32/Generic.AC.4231A6, McAfee - Artemis!BDF54634DDA8, Microsoft - Trojan:Win32/FuerboosC!cl

Shame not to include files in extensions .exe

 

The file is an activator. Should not be detected as malware but as a hacktool application at most. Those who detect it as malware are wrong. We're not going to detect it for now since we are antimalware and not anti-cracking sw.

image.png

 

Share this post


Link to post
Share on other sites
1 hour ago, Descloix said:

adelantado.dll - a variant of Win32 / Injector.EHZT trojan was inside the archive along with other files that were in different directories and even in the registry. the virus was in file  "Documento.exe" - he infected memory and changed registry keys, he was in directories Roaming, Temp, Windows > Tasks, Roaming > Microsoft > Cripto.   That is why he infected the computer's memory and files from various directories. 

 

As long as the dll was recognized, the whole exe would be detected. Maybe you ran it before the detection was added at ~`2:20, maybe you have an older product that doesn't support streamed updates, maybe you had LiveGrid not working... The case and your cfg would need to be investigated in order to tell. What can we say 100% that after 2:10-2:30 users with streamed updates and LG enabled and working were 100% protected.

This is how the detection would have looked like at that time:

Log
Scanned disks, folders and files: C:\test2\documento.exe
C:\test2\documento.exe - Suspicious Object
Number of scanned objects: 1
Number of detections: 1

And here is how ESET reacted with 2-month old modules:

image.png

The malware was executed. When the injection itself was performed, AMSI scanner detected a malicious script...

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
7/28/2019 4:06:06 PM;AMSI scanner;file;script;MSIL/Bladabindi.BC trojan;blocked;DESKTOP-5JIJ6V4\Admin;;AB122C106AC5DFA34C8168069E847F7F6DDDF550;

image.png

And the malicious process was terminated:

image.png

AMSI has been supported since Windows 8.1 so on older systems it's possible that the malware would have run with outdated modules.

Share this post


Link to post
Share on other sites

You must be ashamed. I will send a copy of the black screen to office ESET but asking me to pay for decrypting my computer files. This happened after launch DOCUMENTO.EXE (documento.exe)  This virus completely destroyed all the disks on the computer. All information was encrypted. And for the decryption they asked for 734 dollars.

Tomorrow I will remove ESET from my computer and install an antivirus that is looking for something in file firefox.exe, nightly.exe, and opera installer. I will put an antivirus with a powerful cloud service, which will remove or place any suspicious file in the sandbox.  

Kaspersky, Norton, Malwarebytes, Zemana, 

Screenshot_2019-09-28 Screenshot_2 png - Просмотр картинки - Хостинг картинок, изображений и фотоальбомов.png

Screenshot_2019-09-28 Безымянный jpg - Просмотр картинки - Хостинг картинок, изображений и фотоальбомов.png

Screenshot_2019-09-28 5 jpg - Просмотр картинки - Хостинг картинок, изображений и фотоальбомов.png

Opera Instantané_2019-09-28_040026_hostingkartinok.com.png

Share this post


Link to post
Share on other sites
On 9/26/2019 at 9:34 AM, Marcos said:

As long as the dll was recognized, the whole exe would be detected. Maybe you ran it before the detection was added at ~`2:20, maybe you have an older product that doesn't support streamed updates, maybe you had LiveGrid not working... The case and your cfg would need to be investigated in order to tell. What can we say 100% that after 2:10-2:30 users with streamed updates and LG enabled and working were 100% protected.

This is how the detection would have looked like at that time:

Log
Scanned disks, folders and files: C:\test2\documento.exe
C:\test2\documento.exe - Suspicious Object
Number of scanned objects: 1
Number of detections: 1

And here is how ESET reacted with 2-month old modules:

image.png

The malware was executed. When the injection itself was performed, AMSI scanner detected a malicious script...

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
7/28/2019 4:06:06 PM;AMSI scanner;file;script;MSIL/Bladabindi.BC trojan;blocked;DESKTOP-5JIJ6V4\Admin;;AB122C106AC5DFA34C8168069E847F7F6DDDF550;

image.png

And the malicious process was terminated:

image.png

AMSI has been supported since Windows 8.1 so on older systems it's possible that the malware would have run with outdated modules.

 

Share this post


Link to post
Share on other sites

Let someone run the file documento.exe  on their computer,  and honestly write what happened.

documento.exe - not Suspicious Objekt, this is totally Trojan.Ransom.  

I am absolutely sure that this cipher, to extort money from ignorant people. And the business version of the antivirus did not see it.It’s just a huge shame for the reputation of the company that puts advertising banners in Germany at the Bundesliga matches. Specifically - at the matches of Borussia Dortmund. 

BitDefender 

 

Opera Instantané_2019-09-28_043137_hostingkartinok.com.png

Edited by Descloix

Share this post


Link to post
Share on other sites

Since you continue ranting and personally attacking moderators which is against the forum rules and ignore the proof above that ESET protected our users even with outdated modules unlike many other AV vendors, we'll have to take an action.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...