Skip navigation.

Win32.Klone.b analysis

Just another downloader, fully reversed into C code. I've picked it up a few days ago and sent to AVs, so most of them have signatures by now:

MD5: ec9dfa116b8f41e3918ec45a26597495

AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found Klone
BitDefender Found GenPack:Trojan.Downloader.Galapoper.A
ClamAV Found nothing
Dr.Web Found Trojan.Galapoper
F-Prot Antivirus Found nothing
Fortinet Found W32/KlonePacked.B-tr
Kaspersky Anti-Virus Found Packed.Win32.Klone.b
NOD32 Found probably a variant of Win32/TrojanDownloader.Small.AVT (probable variant)
Norman Virus Control Found W32/DLoader.NUT
UNA Found nothing
VBA32 Found Trojan-Downloader.Win32.Small.AVT

I think this is the last Trojan/Downloader I'm analysing, they're basically all the same in structure (winHTTP/winInet APIs dispatching dialers and bots from hard-coded locations inside EXEs or dynamically via PHP scripts..)

So simple in structure, yet so many AVs don't detect them decently :/