{"id":806,"date":"2013-11-29T09:37:34","date_gmt":"2013-11-29T08:37:34","guid":{"rendered":"http:\/\/www.satinfo.es\/noticies\/?p=806"},"modified":"2013-11-29T09:37:34","modified_gmt":"2013-11-29T08:37:34","slug":"nueva-variente-del-vbsrunner-c-que-afecta-a-dispositivos-de-almacenamiento-usb","status":"publish","type":"post","link":"https:\/\/www.satinfo.es\/noticies\/2013\/nueva-variente-del-vbsrunner-c-que-afecta-a-dispositivos-de-almacenamiento-usb\/","title":{"rendered":"Nueva variente del VBSRUNNER.C que afecta a dispositivos de almacenamiento USB"},"content":{"rendered":"

Una nueva variante de este malware de tama\u00f1o 66,3 Mb que afecta a los dispositivos de almacenamiento masivo USB (pendrives, memorias, discos dures, etc), escondiendo las carpetas y creando en su lugar links (enlaces) con su mismo icono pero lanzando el malware, que en la muestra recibida se llamaba ITUNESHELPER.VBE, lo pasamos a controlar a partir del ELISTARA 28.87 de hoy.<\/span><\/p>\n

Cabe pensar que lo que pretende el hacker en este caso, es que los antivirus no lo detecten si se han configurado excluyendo ficheros mayores de 60 MB en su an\u00e1lisis por ejemplo, y as\u00ed pasar desapercibido.<\/span><\/span><\/span><\/p>\n

El prean\u00e1lisis de VirusTotal ofrece este informe:<\/span><\/span><\/span><\/p>\n

\n

MD5 b26aa0b9579bb542e1727c3adf5ae9df
\nSHA1 c7d19fa4e3596ab832fdfc25bede451b6f4f76d4
\nFile size: 66,3 MB (67.928 KB)
\nSHA256: a0542ac91a01ef46b61974e1de2cedb7b7d3ea8356adfbcdb3d9e7298b6b5ec1
\nNombre: ituneshelper.vbe<\/span><\/span><\/span><\/p>\n

Detecciones: 17 \/ 47<\/span><\/span><\/span><\/p>\n

Fecha de an\u00e1lisis: 2013-11-28 09:06:00 UTC <\/span><\/span><\/span><\/p>\n

Antivirus Resultado Actualizaci\u00f3n<\/b><\/span><\/span><\/span><\/p>\n

Ad-Aware Trojan.Script.Agent.ER 20131128
\nAgnitum 20131127
\nAhnLab-V3 20131127
\nAntiVir 20131128
\nAntiy-AVL 20131128
\nAvast 20131128
\nAVG BackDoor.Generic_c.MYX 20131128
\nBaidu-International 20131128
\nBitDefender Trojan.Script.Agent.ER 20131128
\nBkav 20131128
\nByteHero 20131127
\nCAT-QuickHeal 20131128
\nClamAV 20131128
\nCommtouch 20131128
\nComodo UnclassifiedMalware 20131128
\nDrWeb VBS.Autoruner.166 20131128
\nEmsisoft Trojan.Script.Agent.ER (B) 20131128
\nESET-NOD32 VBS\/Agent.NDH 20131128
\nF-Prot 20131128
\nF-Secure Trojan.Script.Agent.ER 20131128
\nFortinet 20131128
\nGdata Trojan.Script.Agent.ER 20131128
\nIkarus 20131128
\nJiangmin 20131128
\nK7AntiVirus 20131127
\nK7GW 20131127
\nKaspersky Worm.VBS.Dinihou.g 20131128
\nKingsoft 20130829
\nMalwarebytes 20131128
\nMcAfee VBS\/Autorun.worm.aape 20131128
\nMcAfee-GW-Edition VBS\/Autorun.worm.aape 20131127
\nMicrosoft 20131128
\nMicroWorld-eScan Trojan.Script.Agent.ER 20131128
\nNANO-Antivirus 20131128
\nNorman 20131127
\nnProtect 20131128
\nPanda 20131128
\nRising 20131128
\nSophos VBS\/Dinihou-A 20131128
\nSUPERAntiSpyware 20131127
\nSymantec Backdoor.Trojan 20131128
\nTheHacker 20131127
\nTotalDefense 20131128
\nTrendMicro VBS_BACKSHELL.A 20131128
\nTrendMicro-HouseCall VBS_BACKSHELL.A 20131128
\nVBA32 20131127
\nVIPRE 20131128
\nViRobot 20131128<\/span><\/span><\/span><\/p>\n

\n

El c\u00f3digo del virus VBSRUNNER C insertado en medio del fichero de 68 MB de un ITUNESHELPER.VBE<\/span><\/span><\/span><\/p>\n

Tras mas de 30 MB de c\u00f3digos 0D0A (que sirven para engrosar el fichero) aparecen 380 KB de c\u00f3digo v\u00edrico seguidos de otros 30 MB de mas c\u00f3digos 0D0A.<\/span><\/span><\/span><\/p>\n

Dicho c\u00f3digo del malware \u201cpuro\u201d tambi\u00e9n pasa a ser controlado a partir del ELISTARA 28.87 de hoy<\/span><\/span><\/span><\/p>\n

\n

El prean\u00e1lisis de VirusTotal ofrece este informe:<\/span><\/span><\/span><\/p>\n

MD5 ab7c75d28c17da7cde899c1d53963fe2
\nSHA1 c6fc8c7e26b3bd552be9ae63c3aadf13a0c31701
\nFile size 377.9 KB ( 387002 bytes )
\nSHA256: 68ea0062509e337c452accbe1bc909fdbacecbb0bf003b113dcfc6b116f8f372
\nNombre: ituneshelper vbe<\/span><\/span><\/span><\/p>\n

Detecciones: 10 \/ 48<\/span><\/span><\/span><\/p>\n

Fecha de an\u00e1lisis: 2013-11-28 12:02:22 UTC<\/span><\/span><\/span><\/p>\n

Antivirus Resultado Actualizaci\u00f3n<\/b><\/span><\/span><\/span><\/p>\n

Ad-Aware Trojan.VBS.TYJ 20131128
\nAgnitum 20131127
\nAhnLab-V3 20131127
\nAntiVir 20131128
\nAntiy-AVL 20131128
\nAvast VBS:Downloader-KW [Trj] 20131128
\nAVG 20131128
\nBaidu-International 20131128
\nBitDefender Trojan.VBS.TYJ 20131128
\nBkav 20131128
\nByteHero 20131127
\nCAT-QuickHeal 20131128
\nClamAV 20131128
\nCommtouch 20131128
\nComodo 20131128
\nDrWeb 20131128
\nEmsisoft Trojan.VBS.TYJ (B) 20131128
\nESET-NOD32 20131128
\nF-Prot 20131128
\nF-Secure Trojan.VBS.TYJ 20131128
\nFortinet 20131128
\nGdata Trojan.VBS.TYJ 20131128
\nIkarus 20131128
\nJiangmin 20131128
\nK7AntiVirus 20131127
\nK7GW 20131127
\nKaspersky Worm.VBS.Dinihou.g 20131128
\nKingsoft 20130829
\nMalwarebytes 20131128
\nMcAfee 20131128
\nMcAfee-GW-Edition 20131127
\nMicrosoft 20131128
\nMicroWorld-eScan Trojan.VBS.TYJ 20131128
\nNANO-Antivirus 20131128
\nNorman 20131128
\nnProtect Trojan.VBS.TYJ 20131128
\nPanda 20131128
\nRising 20131128
\nSophos VBS\/Dinihou-A 20131128
\nSUPER AntiSpyware 20131127
\nSymantec 20131128
\nTheHacker 20131127
\nTotalDefense 20131128
\nTrendMicro 20131128
\nTrendMicro-HouseCall 20131128
\nVBA32 20131127
\nVIPRE 20131128
\nViRobot 20131128<\/span><\/span><\/span><\/p>\n

\n

SATINFO<\/b><\/span>, <\/b><\/span>SERVICIO DE ASISTENCIA T\u00c9CNICA INFORMATICA<\/b><\/span>2<\/b><\/span>8<\/b><\/span>de <\/b><\/span>Noviembre<\/b><\/span>de 201<\/b><\/span>3<\/b><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

Una nueva variante de este malware de tama\u00f1o 66,3 Mb que afecta a los dispositivos de almacenamiento masivo USB (pendrives, memorias, discos dures, etc), escondiendo las carpetas y creando en su lugar links (enlaces) con su mismo icono pero lanzando el malware, que en la muestra recibida se llamaba ITUNESHELPER.VBE, lo pasamos a controlar a […]<\/a><\/p>\n","protected":false},"author":5,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[320,891,892],"tags":[496,488,491,495,497,489,498,92,490,499,492,494,487,493],"class_list":["post-806","post","type-post","status-publish","format-standard","hentry","category-320","category-otros","category-todos","tag-ab7c75d28c17da7cde899c1d53963fe2","tag-b26aa0b9579bb542e1727c3adf5ae9df","tag-backdoor-generic_c-myx","tag-backdoor-trojan","tag-c6fc8c7e26b3bd552be9ae63c3aadf13a0c31701","tag-c7d19fa4e3596ab832fdfc25bede451b6f4f76d4","tag-downloader-kw","tag-elistara","tag-ituneshelper-vbe","tag-trojan-vbs-tyj","tag-vbsagent-ndh","tag-vbsautorun-worm-aape","tag-vbsrunner-c","tag-worm-vbs-dinihou-g","category-320-id","category-891-id","category-892-id","post-seq-1","post-parity-odd","meta-position-corners","fix"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.satinfo.es\/noticies\/wp-json\/wp\/v2\/posts\/806","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.satinfo.es\/noticies\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.satinfo.es\/noticies\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.satinfo.es\/noticies\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/www.satinfo.es\/noticies\/wp-json\/wp\/v2\/comments?post=806"}],"version-history":[{"count":0,"href":"https:\/\/www.satinfo.es\/noticies\/wp-json\/wp\/v2\/posts\/806\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.satinfo.es\/noticies\/wp-json\/wp\/v2\/media?parent=806"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.satinfo.es\/noticies\/wp-json\/wp\/v2\/categories?post=806"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.satinfo.es\/noticies\/wp-json\/wp\/v2\/tags?post=806"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}