Found "Gen:Variant.Ursu.225958 (B)" on my PC. -VERY NEW MALWARE-

[Yellowing]

Hi

I just got a hit with EmsiSoft Emergency Kit regarding the portable version (the zip) of SysHardener:
.\syshardener_portable.zip -> PORTABLE/32-bit/SysHardener.exe detected: Gen:Variant.Ursu.225958 (B) [krnl.xmd]

I did a virusTotal scan but I'm not sure if the link works in your browser:
VirusTotal
This does not sound like a false alarm to me.
Oh, oh... The amount of AVs on VirusTotal detecting it are increasing. It was 7 when I first made the test! (Minutes ago!) Now it is already 9. Must be very new.

Uploaded to Microsoft: Submission details (dbec439d-6c21-44fc-a39b-a6adb7203d6f) - Windows Defender Security Intelligence

No sign that it has run so far. Only this one file is infected.

Important notice:
My zip file has been altered. The file on the Server is clean!

 

[Venustus]

Indeed the "zip" shows to be infected which is a false positive!
Strange!!
The actual executable is clean:
VirusTotal

 

[Yellowing]

But my zip file is not the same as the one from the server. MD5 hash different.
I downloaded it a few days ago and it has the same version as the one the website inside it. Ergo it got altered maliciously

You don't have "the actual" executable since my zip is different.

 

[Venustus]

I'm assuming you downloaded from the official site!How did it get altered?

 

[Yellowing]

I don't know
I'm running several scans now. (Eset is finished in a few moments. I know it didn't detect the zip in VirusTotal, but i thought it could run through, whatever. ) Full scan with EmsiSoft starts soon.

I said in my post that the server zip is clean.

 

[Yellowing]

Oh wait...
I clicked on the Relations tab in VirusTotal and it shows all files are clean. I never really used it much.

How are all files clean but the zip? Can a zip be infected but its insides not? Maybe there is a new WinZip or 7Zip exploit.
And what is wrong with EmsiSoft? It scanned only 259,293 files, but ESET is still going with over 360,000. I did check all drives and file types. :X3:

And now virustotal show only 8 hits. So one vendor changed their detection. I guess it is a false positive after all.

 

[Yellowing]

Ok. No Virus found except that one file. I don't know why it is a different file than the server has, or why the detection on VirusTotal changed in such short notice.

If the file on the server wasn't updated without changing the version number, my file must have been altered. Have you changed it since 26.5.18, @NoVirusThanks?

 

[Venustus]

Oh wait...
I clicked on the Relations tab in VirusTotal and it shows all files are clean. I never really used it much.

How are all files clean but the zip? Can a zip be infected but its insides not? Maybe there is a new WinZip or 7Zip exploit.
And what is wrong with EmsiSoft? It scanned only 259,293 files, but ESET is still going with over 360,000. I did check all drives and file types. :X3:

And now virustotal show only 8 hits. So one vendor changed their detection. I guess it is a false positive after all.

The Eset online scanner is very thorough and also very good

 

[Yellowing]

It is pretty much clear that it was a false positive now:
VirusTotal detections are down to 2. (AegisLab and Qihoo-360 are left)
Windows still didn't analyse it, sadly. What's even the point of uploading it there? :emoji_clap:

I still don't know why it got altered. I assume I just removed a file from it and forgot. :emoji_flushed: But then, I would only ever extract files, and that doesn't remove them from the archive. So, how could "me extracting a file" (If that was the case) result in so many false positive alerts?

Any ideas?
I also really wish NVT-guy would answer. But since this thread got moved into oblivion it won't happen, I guess.

 

[upnorth]

At the moment it's down to one vendor that finds this malicious so it's more then likely a false positive.

But my zip file is not the same as the one from the server. MD5 hash different.
I downloaded it a few days ago and it has the same version as the one the website inside it. Ergo it got altered maliciously

Please explain a bit more as I don't fully grasp what you actually mean. You have the zip file that contain SysHardener portable version and that you downloaded a few days ago right? And now you say it's altered and that's where I get lost because you clearly write :

it has the same version as the one the website inside it. Ergo it got altered

If you want to get in contact with the developer you can always try add his name in a post, @"the name". Would look like this @NoVirusThanks as that would normaly send him an alert or simply send him a pm ( start conversation ) and point him to the post.

 

[Yellowing]

At the moment it's down to one vendor that finds this malicious so it's more then likely a false positive.
Please explain a bit more as I don't fully grasp what you actually mean. You have the zip file that contain SysHardener portable version and that you downloaded a few days ago right? And now you say it's altered and that's where I get lost because you clearly write : [...]
If you want to get in contact with the developer you can always try add his name in a post, @"the name". Would look like this @NoVirusThanks as that would normaly send him an alert or simply send him a pm ( start conversation ) and point him to the post.

I think that is understandable: The program inside the ZIP was the same version as the one on the server, but the MD5 hash was different. (Few days difference from download to test - but no sign that Dev changed the ZIP) *shrug*

Since I found that ZIP file to be questionable I made a full system reset.
I also did add @NoVirusThanks a while ago, if you look up. I even PMd him. Let's just wait.

 

[upnorth]

The program inside the ZIP was the same version as the one on the server, but the MD5 hash was different.

Do you still have the file?

 

[Yellowing]

No. I don't know if it is downloadable from the Microsoft of VirusTotal link. They still have the file.

 

[upnorth]

No. I don't know if it is downloadable from the Microsoft of VirusTotal link. They still have the file.

Sad to hear as it could perhaps helped and I do hope you understand that all anyone really have on this now is your words and even if your telling the truth it doesn't help as nobody else can confirm this unless they have full access to VirusTotal ( VT ). As what I know that's only for VirusTotal Intelligence members and that's very expensive. The MS submission is from what I can see not possible to download.

Next time you find and report something like this, don't delete the file.