new folder.exe

The executable new folder.exe, “Microsoft Corparation” has been detected as malware by 34 anti-virus scanners. Infected by an entry-point obscuring polymorphic file infector which will create a peer-to-peer botnet and receives URLs of additional files to download. While running, it connects to the Internet address p11pn-i.geo.vip.bf1.yahoo.com on port 80 using the HTTP protocol.
Description:
Microsoft Corparation

Version:
1,1,2,2

MD5:
1bd90b334ffb3e08b6ab94a711d2c2fc

SHA-1:
d6eccfd8f740db8d1e2a5ebb7cdd34f34cefa949

SHA-256:
4fba8b54705f26e48a5300855d2bb62285de0795ec08b254561e84b838650ee3

Scanner detections:
34 / 68

Status:
File is infected by a Virus

Explanation:
The file is infected by a polymorphic file infector virus.

Analysis date:
12/26/2024 6:49:44 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Win32.Sality.AP.Gen
7.1.1

AhnLab V3 Security
Win32/Kashu.B
2013.05.14

Avira AntiVirus
W32/Sality.AA
7.11.78.32

avast!
AutoIt:AutoRun-B@BC [Wrm]
2014.9-160921

AVG
Worm/AutoRun
2017.0.2613

Bitdefender
Win32.Sality.OG
1.0.20.1325

Clam AntiVirus
W32.Sality-72
0.98/18155

Comodo Security
Virus.Win32.Sality.Gen
16248

Dr.Web
Win32.HLLW.Autoruner.8744
9.0.1.0265

Emsisoft Anti-Malware
Win32.Sality.OG
8.16.09.21.02

ESET NOD32
Win32/Sality.NAU
10.8327

Fortinet FortiGate
W32/Agent.FDR!tr
9/21/2016

F-Prot
W32/Sality.AK
v6.4.7.1.166

F-Secure
Win32.Sality.OG
11.2016-21-09_4

G Data
Win32.Sality.OG
16.9.22

IKARUS anti.virus
Trojan.Crypt
t3scan.2.0.0.0

K7 AntiVirus
Virus
13.166.8668

Kaspersky
Worm.Win32.AutoIt
14.0.0.-438

Malwarebytes
Worm.Agent.IMY
v2016.09.21.02

McAfee
W32/Sality.gen
5600.6269

Microsoft Security Essentials
Worm:Win32/Nuqel.AO
1.163.1557.0

MicroWorld eScan
Win32.Sality.OG
17.0.0.795

NANO AntiVirus
Virus.Win32.Sality.gcen
0.24.0.52214

Norman
007Spy.CO
11.20160921

nProtect
Win32.Sality.OG
13.05.13.04

Panda Antivirus
W32/Sality.AN
16.09.21.02

Quick Heal
W32.Sality.R
9.16.12.00

SUPERAntiSpyware
Trojan.Agent/Gen-FakeSoft
8884

Total Defense
Win32/Sality.AA
37.0.10418

Trend Micro House Call
PE_SALITY.BU
7.2.265

Trend Micro
PE_SALITY.BU
10.465.21

Vba32 AntiVirus
Virus.Win32.Sality.baka
3.12.22.0

VIPRE Antivirus
Trojan.Win32.AutoIT.gen
17712

ViRobot
Win32.Sality.L
2011.4.7.4223

File size:
864.5 KB (885,212 bytes)

File type:
Executable application (Win32 EXE)

Language:
English (United Kingdom)

File PE Metadata
Compilation timestamp:
11/25/2007 4:21:46 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
12288:LTB09SkkNXKgor5IWk3rWHfkuegrcqt4Omarj53Dvo9ysGlXkEbvy73hykz9Zicn:IScgU5og8ueZOxmKoc7LbvyFyK9YI

Entry address:
0xA8CD0

Entry point:
60, 2B, D2, 52, FF, 15, E8, 11, 4B, 00, 8B, D5, F6, D8, 0F, B7, FD, FE, CC, 87, DA, 2B, D2, 52, FF, 15, E8, 11, 4B, 00, E8, 24, 00, 00, 00, C9, 93, 29, 05, F0, 0C, 20, 56, 5C, C8, 63, C1, A1, 31, E0, E3, C7, 7E, C3, 18, 1E, 30, 8F, 9E, 1A, ED, BC, B0, 87, 72, 18, 37, F4, 44, 7C, 21, 2B, C9, 48, 58, 33, D0, 0F, BA, E9, B7, 0F, BC, C8, 0F, A4, F7, 57, 8D, 0D, A7, CE, 59, B8, F7, C7, 48, EB, 02, BD, 71, 17, 01, D2, 81, D1, 6F, 76, 61, A0, 0F, A5, D3, 0F, C1, DD, EB, 01, 50, F7, C7, E0, 23, 5A, B5, 81, C0, EF...
 
[+]

Entropy:
7.9543  (probably packed)

Code size:
228 KB (233,472 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to p11pn-i.geo.vip.bf1.yahoo.com  (98.139.135.128:80)

TCP (HTTP):
Connects to dev.ucoz.net  (195.216.243.102:80)

Remove new folder.exe - Powered by Reason Core Security