hey guyz,

I came across this virus / malware while scanning a friends PC using Avira PE Classic - DR/Zlob.Gen

So just to be sure it was a legitimate virus / malware detection of Avira, i sent it to virustotal to see what other antivirus vendors come up with.

To my surprise, only 13 out 29 av vendors detected it as a virus / malware. :o

Here's the screenshot ...

[Edit - link to Virus Total screenshot removed - Blue]

I would be interested in reading your comments regarding this.

Thanks

In some cases, a trojan will be caught during the installation process (extraction) by some antivirus, e.g. avast! or others.

Aaaaaaaaah!

A VirusTotal Screenshot!

{QUOTE-> Aaaaaaaaah!

A VirusTotal Screenshot! <-QUOTE}Right, and it will be gone in a few seconds. Sorry epv888, you're new here so please take no offense (and welcome!).

Just to place everyone on the same page..., VT and related screenshots are clipped unless they are focused on a specific diagnostic issue (active malware infestation, false positive, etc.) or related user-based issue. Therefore, they are removed when their only purpose is illustrating point in time comparative performance of AV's. They are removed since they have no lasting pertinence to any discussion and quickly generate a large flurry of also time dependent and quickly outdated competing posts. We're not about to play that game, period.

As for this thread, epv888 has ably noted the situation sans post and have at it.

Blue

{QUOTE-> Aaaaaaaaah!

A VirusTotal Screenshot! <-QUOTE}
LOL - But oh so true!

Atleast this time Blue explained the reasoning behind it, and thank you for that! ;)

Now why is it not detected by all?
Good question with no clear answer.

It might have something to do with the NSIS installer. So many legit programs use it the chances for FP's are high, even though I do believe all AV's have no problems unpacking NSIS installers. It also has morphed quite a bit since I have followed it, such as many pieces of malware do. example: one of the first pieces had an actual stand-alone Trojan downloader inside the NSIS, but more recently the ability has been embedded inside the DLL files thus negating the need for a seperate downloader which was an easy flag.

Just my .02

Most AVs have a hard time with Zlobs and other malware of this kind (slightly modified/repackaged stuff)
Just look at CastleCops MIRT (http://www.castlecops.com/c55-MIRT.html)

Exactly how was this detected? You didn't tell us. The screenshot would have. Since that is gone can you please tell us? Hard to make an intelligent comment otherwise.

Let me guess nod didn't not detect?

{QUOTE-> Atleast this time Blue explained the reasoning behind it <-QUOTE}The explanation of those type removals has and will continue to be made on a case by case bases. Some privately to the posting member and in this case Blue used member tobacco's trolling post as a lead in to his explanation to the relatively new member epv888. For some like yourself....you were given an explanation by the owners of the Forum in this post. (http://www.wilderssecurity.com/showthread.php?p=911029#post911029)

Bubba

~snip~

I have results from scanning of files with actual exe's vice dll's both newer varients.
The results are 9 for the exe types, and 7 for the dll types and 2 of those are only because it is packed with UPX. Just a FYI. ;)

As noted in past closed\removed threads of this type and in keeping with our position as mentioned here (http://www.wilderssecurity.com/showthread.php?p=818225)....these type threads are neither support issue related or helpful. If\when vendors receive said samples they will act on this item according to the priority they deem necessary. What We will not be continuing is yet another thread of who's added the item to their database and who hasn't.

Having said that....this thread is now closed