CNET Download a malware.
Options
Rusli
Posts: 1,022 Influencer
in Web Browsing
Please take note of these...
http://krebsonsecurity.com/2011/12/download-com-bundling-toolbars-trojans/
I come across with this before and somewhat true is some ways.
Comments
-
Thanks for that heads up.
I've also noticed that Open Candy is becoming more prevalent. MSE and another AV detected it on the same installed software about 6 months ago, on 2 different PC's. I downloaded that file today, and submitted it to Virus Total, and it now no longer flags it. So I don't know if the vendor took it out, or the AV companies av definitions are now "allowing" it. I think more of the developers and maintainer's of free (and paid for) software versions are seeing it as a form of revenue to help offset expenses.
Here is a list of some of the software where that is included. I just had a couple days ago in the set up of free software, asked to allow (keep the box checked) Open Candy, so that he could continue to offer his software free.
-
Thanks for the infos.
I did get thing in CDXPBurner.
This is only occuring to Windows Platform.
There is also a similar problem to Mac Apps.
I generally cannot trust many of the third software being release in the Apple Apps store. Many of the users are not aware of the situation. That goes the same to Chrome.
Some of the developers just come and go. Some have making agreements with Advertising Companies for Money.
Well One thing for sure, an Advertising Companies gathers informations and sell it to their clients for money.
Even our Banks sectors are doing it!
The confusing part is, even a malware like this is considered illegally approved.
-
-
I download a sample today...
see below.
Virustotal is a service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines. More information... 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.File name:cnet_EFRCSetup_exe.exeSubmission date:2011-12-19 00:36:36 (UTC)Current status:queuedqueuedanalysingfinished
Result:6/ 43 (14.0%)VT Community
not reviewed
Safety score: -Antivirus Version Last Update Result
Additional informationShow allAhnLab-V3 2011.12.18.00 2011.12.18 - AntiVir 7.11.19.155 2011.12.18 - Antiy-AVL 2.0.3.7 2011.12.18 - Avast 6.0.1289.0 2011.12.18 - AVG 10.0.0.1190 2011.12.18 - BitDefender 7.2 2011.12.19 - ByteHero 1.0.0.1 2011.12.07 Trojan.Backdoor.Gen.a CAT-QuickHeal 12.00 2011.12.18 - ClamAV 0.97.3.0 2011.12.18 Adware.Downloader-207 Commtouch 5.3.2.6 2011.12.17 - Comodo 11004 2011.12.18 - DrWeb 5.0.2.03300 2011.12.19 Adware.Downware.130 Emsisoft 5.1.0.11 2011.12.18 - eSafe 7.0.17.0 2011.12.18 Win32.Trojan eTrust-Vet 37.0.9628 2011.12.16 - F-Prot 4.6.5.141 2011.12.17 - F-Secure 9.0.16440.0 2011.12.19 - Fortinet 4.3.388.0 2011.12.18 - GData 22 2011.12.18 - Ikarus T3.1.1.109.0 2011.12.18 - Jiangmin 13.0.900 2011.12.18 - K7AntiVirus 9.119.5696 2011.12.15 - Kaspersky 9.0.0.837 2011.12.18 - McAfee 5.400.0.1158 2011.12.18 - McAfee-GW-Edition 2010.1E 2011.12.19 - Microsoft 1.7903 2011.12.18 - NOD32 6722 2011.12.19 a variant of Win32/InstallCore.D Norman 6.07.13 2011.12.18 - nProtect 2011-12-18.01 2011.12.18 - Panda 10.0.3.5 2011.12.18 - PCTools 8.0.0.5 2011.12.19 - Prevx 3.0 2011.12.19 - Rising 23.88.03.02 2011.12.16 Suspicious Sophos 4.72.0 2011.12.18 - SUPERAntiSpyware 4.40.0.1006 2011.12.17 - Symantec 20111.2.0.82 2011.12.19 - TheHacker 6.7.0.1.361 2011.12.18 - TrendMicro 9.500.0.1008 2011.12.18 - TrendMicro-HouseCall 9.500.0.1008 2011.12.19 - VBA32 3.12.16.4 2011.12.14 - VIPRE 11272 2011.12.18 - ViRobot 2011.12.17.4831 2011.12.19 - VirusBuster 14.1.122.1 2011.12.18 - MD5 : 8dddd3735c33607727ce0d5f66046a2b SHA1 : 0b799dea24610e02ae54eead4f6958c02c2c5f41 SHA256: 9046a61c83f6ebbaea28fa45c62f514bc95e4ed282ec256d1244fda273899971 ssdeep: 12288:lGFP4rsBRjSLvxZqWPo3jTza+YoH34kc9dtjkvi:UJw4iloja+Yp9dtjkvi File size : 463080 bytes First seen: 2011-10-28 13:16:01 Last seen : 2011-12-19 00:36:36 TrID:
UPX compressed Win32 Executable (38.5%)
Win32 EXE Yoda's Crypter (33.4%)
Win32 Executable Generic (10.7%)
Win32 Dynamic Link Library (generic) (9.5%)
Win16/32 Executable Delphi generic (2.6%)sigcheck:
publisher....: CNET Download.com
copyright....: CBS Interactive
product......: CNET Download.com Installer
description..: CNET Download.com Install
original name: n/a
internal name: CNET Download.com Installer
file version.: v2.0.2.108
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsignedpackers (F-Prot): UPX PEInfo: PE structure information
[[ basic data ]]
entrypointaddress: 0x101660
timedatestamp....: 0x2A425E19 (Fri Jun 19 22:22:17 1992)
machinetype......: 0x14c (I386)
[[ 3 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
UPX0, 0x1000, 0x9B000, 0x0, 0.00, d41d8cd98f00b204e9800998ecf8427e
UPX1, 0x9C000, 0x66000, 0x65A00, 7.92, 8550735f959374969c140f5eeb2b7574
.rsrc, 0x102000, 0xB000, 0xA400, 6.05, 032aad5249eb912d6d8d14dfbf315641
[[ 12 import(s) ]]
KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
advapi32.dll: EqualSid
comctl32.dll: ImageList_Add
comdlg32.dll: GetOpenFileNameA
gdi32.dll: SaveDC
ole32.dll: OleDraw
oleaut32.dll: VarNot
shell32.dll: DragFinish
URLMON.DLL: CoInternetCreateZoneManager
user32.dll: GetDC
version.dll: VerQueryValueA
wininet.dll: FindNextUrlCacheEntryAExifTool:
file metadata
CharacterSet: Unicode
CodeSize: 417792
CompanyName: CNET Download.com
EntryPoint: 0x101660
FileDescription: CNET Download.com Install
FileFlagsMask: 0x003f
FileOS: Win32
FileSize: 452 kB
FileSubtype: 0
FileType: Win32 EXE
FileVersion: v2.0.2.108
FileVersionNumber: 0.0.2.108
ImageVersion: 0.0
InitializedDataSize: 45056
InternalName: CNET Download.com Installer
LanguageCode: Neutral
LegalCopyright: CBS Interactive
LinkerVersion: 2.25
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 4.0
ObjectFileType: Dynamic link library
PEType: PE32
ProductName: CNET Download.com Installer
ProductVersion: v2.0.2.108
ProductVersionNumber: 0.0.2.108
Subsystem: Windows GUI
SubsystemVersion: 4.0
TimeStamp: 1992:06:20 00:22:17+02:00
UninitializedDataSize: 634880
Warning: Possibly corrupt Version resource
ler: DVT Community0This file has never been reviewed by any VT Community member. Be the first one to comment on it!
VirusTotal TeamAdd your comment... Remember that when you write comments as an anonymous user they receive the lowest possible reputation. So if you have not signed in yet don't forget to do so. How to markup your comments?You can add basic styles to your comments using the following accepted bbcode tags: -
Now try this link.
The file name that is downloading starts with something like this....
For example:-
cnet_filename_exe.exe
The CBS interactive Malware starts with "cnet".
The file to download usually starts with cnet_somefilenametobedownloadfromcnet_exe.exe.
Here is the link to try out... and try to upload to virustotal for analysis.
http://download.cnet.com/System-Cleaner/3000-18512_4-10045285.html?tag=dropDownForm;productListing
-
Try the above posting with the cnet download.com link
and try to upload with virustotal.com
and you will get the similarity...
0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.File name:cnet2_SystemCleanerSetup_a1100_exe.exeSubmission date:2011-12-19 01:18:10 (UTC)Current status:queued (#2)queuedanalysingfinishedResult:4/ 42 (9.5%)VT Community
not reviewed
Safety score: -Antivirus Version Last Update Result
Additional informationShow allAhnLab-V3 2011.12.18.00 2011.12.18 - AntiVir 7.11.19.155 2011.12.18 - Antiy-AVL 2.0.3.7 2011.12.18 - Avast 6.0.1289.0 2011.12.18 - AVG 10.0.0.1190 2011.12.18 - BitDefender 7.2 2011.12.19 - ByteHero 1.0.0.1 2011.12.07 - CAT-QuickHeal 12.00 2011.12.18 - ClamAV 0.97.3.0 2011.12.18 Adware.Downloader-207 Commtouch 5.3.2.6 2011.12.17 - Comodo 11008 2011.12.19 - DrWeb 5.0.2.03300 2011.12.19 Adware.Downware.130 Emsisoft 5.1.0.11 2011.12.19 - eSafe 7.0.17.0 2011.12.18 - eTrust-Vet 37.0.9628 2011.12.16 - F-Prot 4.6.5.141 2011.12.17 - F-Secure 9.0.16440.0 2011.12.19 - Fortinet 4.3.388.0 2011.12.18 - GData 22 2011.12.19 - Ikarus T3.1.1.109.0 2011.12.18 - Jiangmin 13.0.900 2011.12.18 - K7AntiVirus 9.119.5696 2011.12.15 - Kaspersky 9.0.0.837 2011.12.18 - McAfee 5.400.0.1158 2011.12.19 - McAfee-GW-Edition 2010.1E 2011.12.19 - Microsoft 1.7903 2011.12.18 - NOD32 6722 2011.12.19 a variant of Win32/InstallCore.D Norman 6.07.13 2011.12.18 - nProtect 2011-12-18.01 2011.12.18 - Panda 10.0.3.5 2011.12.18 - PCTools 8.0.0.5 2011.12.19 - Prevx 3.0 2011.12.19 - Rising 23.88.03.02 2011.12.16 Suspicious Sophos 4.72.0 2011.12.18 - SUPERAntiSpyware 4.40.0.1006 2011.12.17 - TheHacker 6.7.0.1.361 2011.12.18 - TrendMicro 9.500.0.1008 2011.12.18 - TrendMicro-HouseCall 9.500.0.1008 2011.12.19 - VBA32 3.12.16.4 2011.12.14 - VIPRE 11272 2011.12.18 - ViRobot 2011.12.17.4831 2011.12.19 - VirusBuster 14.1.122.1 2011.12.18 - MD5 : ccb84c353bfb64d570575f0512415a2b SHA1 : 0e829e509193b346bcf92ea2d754c0a8d18bc917 SHA256: 33c40c6affe44a27b55b28ededfa6ef401e4b9107ee437d6832c091f17e46e7b ssdeep: 12288 
GFP4rsBRjSLvxZqWPo3jTza+YoH34kc9dtjkvi:KJw4iloja+Yp9dtjkviFile size : 463080 bytes First seen: 2011-12-19 01:18:10 Last seen : 2011-12-19 01:18:10 TrID:
UPX compressed Win32 Executable (38.5%)
Win32 EXE Yoda's Crypter (33.4%)
Win32 Executable Generic (10.7%)
Win32 Dynamic Link Library (generic) (9.5%)
Win16/32 Executable Delphi generic (2.6%)sigcheck:
publisher....: CNET Download.com
copyright....: CBS Interactive
product......: CNET Download.com Installer
description..: CNET Download.com Install
original name: n/a
internal name: CNET Download.com Installer
file version.: v2.0.2.108
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsignedpackers (F-Prot): UPX PEInfo: PE structure information
[[ basic data ]]
entrypointaddress: 0x101660
timedatestamp....: 0x2A425E19 (Fri Jun 19 22:22:17 1992)
machinetype......: 0x14c (I386)
[[ 3 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
UPX0, 0x1000, 0x9B000, 0x0, 0.00, d41d8cd98f00b204e9800998ecf8427e
UPX1, 0x9C000, 0x66000, 0x65A00, 7.92, 8550735f959374969c140f5eeb2b7574
.rsrc, 0x102000, 0xB000, 0xA400, 6.05, 032aad5249eb912d6d8d14dfbf315641
[[ 12 import(s) ]]
KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
advapi32.dll: EqualSid
comctl32.dll: ImageList_Add
comdlg32.dll: GetOpenFileNameA
gdi32.dll: SaveDC
ole32.dll: OleDraw
oleaut32.dll: VarNot
shell32.dll: DragFinish
URLMON.DLL: CoInternetCreateZoneManager
user32.dll: GetDC
version.dll: VerQueryValueA
wininet.dll: FindNextUrlCacheEntryAExifTool:
file metadata
CharacterSet: Unicode
CodeSize: 417792
CompanyName: CNET Download.com
EntryPoint: 0x101660
FileDescription: CNET Download.com Install
FileFlagsMask: 0x003f
FileOS: Win32
FileSize: 452 kB
FileSubtype: 0
FileType: Win32 EXE
FileVersion: v2.0.2.108
FileVersionNumber: 0.0.2.108
ImageVersion: 0.0
InitializedDataSize: 45056
InternalName: CNET Download.com Installer
LanguageCode: Neutral
LegalCopyright: CBS Interactive
LinkerVersion: 2.25
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 4.0
ObjectFileType: Dynamic link library
PEType: PE32
ProductName: CNET Download.com Installer
ProductVersion: v2.0.2.108
ProductVersionNumber: 0.0.2.108
Subsystem: Windows GUI
SubsystemVersion: 4.0
TimeStamp: 1992:06:20 00:22:17+02:00
UninitializedDataSize: 634880
Warning: Possibly corrupt Version resource
ler: D
![[Deleted User]](https://community.f-secure.com/applications/dashboard/design/images/defaulticon.png)
This discussion has been closed.