Trojan Zlob

Discussion in 'NOD32 version 2 Forum' started by ugly, May 27, 2006.

Thread Status:
Not open for further replies.
  1. ugly

    ugly Registered Member

    Joined:
    Mar 21, 2005
    Posts:
    276
    Location:
    Romania
    Do it faster please. I really like NOD32 but you are , unfortunately , really slow in adding signatures.:'(
    This is in my opinion one of the few :thumbd: of NOD32.:(
     
  2. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands

    That is a little unfair, especially in this case; have a look:


    Latest variants; it gets repetitive. Only Ikarus seems to have found the solution. Files submitted.

    Complete scanning result of "mediacodec-v4.541.exe", received in VirusTotal at 05.28.2006, 19:58:19 (CET).

    Antivirus Version Update Result
    AntiVir 6.34.1.34 05.28.2006 no virus found
    Authentium 4.93.8 05.28.2006 no virus found
    Avast 4.6.695.0 05.26.2006 no virus found
    AVG 386 05.28.2006 no virus found
    BitDefender 7.2 05.28.2006 no virus found
    CAT-QuickHeal 8.00 05.27.2006 no virus found
    ClamAV devel-20060426 05.28.2006 no virus found
    DrWeb 4.33 05.28.2006 no virus found
    eTrust-InoculateIT 23.72.20 05.28.2006 no virus found
    eTrust-Vet 12.6.2229 05.26.2006 no virus found
    Ewido 3.5 05.28.2006 no virus found
    Fortinet 2.77.0.0 05.28.2006 suspicious
    F-Prot 3.16c 05.28.2006 no virus found
    Ikarus 0.2.65.0 05.28.2006 Trojan.Favadd
    Kaspersky 4.0.2.24 05.28.2006 no virus found
    McAfee 4771 05.26.2006 no virus found
    Microsoft 1.1441 05.28.2006 no virus found
    NOD32v2 1.1562 05.27.2006 no virus found
    Norman 5.90.17 05.26.2006 no virus found
    Panda 9.0.0.4 05.28.2006 no virus found
    Sophos 4.05.0 05.28.2006 no virus found
    Symantec 8.0 05.28.2006 no virus found
    TheHacker 5.9.8.149 05.26.2006 no virus found
    UNA 1.83 05.26.2006 no virus found
    VBA32 3.11.0 05.28.2006 no virus found

    Aditional Information
    File size: 71702 bytes
    MD5: edd1dfde42538773c41fce87e80e8676
    SHA1: d0cdf77fb5b3f9b6b1350b334ba2bca1490c51d5


    Complete scanning result of "digikeygen_ver1.541.exe", received in VirusTotal at 05.28.2006, 19:58:05 (CET).

    Antivirus Version Update Result
    AntiVir 6.34.1.34 05.28.2006 no virus found
    Authentium 4.93.8 05.28.2006 no virus found
    Avast 4.6.695.0 05.26.2006 no virus found
    AVG 386 05.28.2006 no virus found
    BitDefender 7.2 05.28.2006 no virus found
    CAT-QuickHeal 8.00 05.27.2006 no virus found
    ClamAV devel-20060426 05.28.2006 no virus found
    DrWeb 4.33 05.28.2006 no virus found
    eTrust-InoculateIT 23.72.20 05.28.2006 no virus found
    eTrust-Vet 12.6.2229 05.26.2006 no virus found
    Ewido 3.5 05.28.2006 no virus found
    Fortinet 2.77.0.0 05.28.2006 suspicious
    F-Prot 3.16c 05.28.2006 no virus found
    Ikarus 0.2.65.0 05.28.2006 Trojan.Favadd
    Kaspersky 4.0.2.24 05.28.2006 no virus found
    McAfee 4771 05.26.2006 no virus found
    Microsoft 1.1441 05.28.2006 no virus found
    NOD32v2 1.1562 05.27.2006 no virus found
    Norman 5.90.17 05.26.2006 no virus found
    Panda 9.0.0.4 05.28.2006 no virus found
    Sophos 4.05.0 05.28.2006 no virus found
    Symantec 8.0 05.28.2006 no virus found
    TheHacker 5.9.8.149 05.26.2006 no virus found
    UNA 1.83 05.26.2006 no virus found
    VBA32 3.11.0 05.28.2006 no virus found

    Aditional Information
    File size: 83698 bytes
    MD5: bd95b66ecefa3052d89ca997f9c1a21d
    SHA1: 08af0a8997ab2bfaf8d45d3cec7be23785f662b7
     
  3. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands
    I'm told that Dr.Web now detects these variants as Trojan.Popuper
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,456
    BTW, some time ago the creator of TD.Zlob was complaining that we detected it, and asked us to remove detection :D
     
  5. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands
  6. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Yes, I remember it. There was this guy who wasn't convinced it was a nasty, then another one said "finally all antiviruses removed signature detection" (false and absurd). This is a known malware. Do not, I repeat do NOT, ever install anything that's on:

    emcodec.com
    emediacodec.com
    getcodecs.com
    media-codec.com
    v-codec.com
    vcodec-download.com
    vcodec-get.com
    vcodec.com
    vcodecdownload.com
    vcodecget.com
    vcodecget.net
    vcodecobtain.com
    vcodecpull.com
    vcodecreceive.com
    vicodec.com
    vidcodec.com
    videocodecupdate.com
    vidscodec.com
    zcodec.com

    All this is related to codeccash.com, part of Smitfraud. Sunbelt talked about it: http://sunbeltblog.blogspot.com/2006/01/videoc-monstrosity-and-codeccash.html

    And by the way, these guys are quite neat. Every time they come up with another version they make sure it's not detected by any antivirus out there. And their methods of infection (spambots) are incredibly convincing for 'regular' people (at least the Italian ones I've seen).
     
  7. ugly

    ugly Registered Member

    Joined:
    Mar 21, 2005
    Posts:
    276
    Location:
    Romania
    Well done eset !:D
    This time faster then kaspersky !:eek:

    zlob.JPG
     
  8. i_kenefick

    i_kenefick Registered Member

    Joined:
    Nov 29, 2005
    Posts:
    135
    Location:
    Cork, Ireland.
    lol :isay:
     
  9. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands
    Apparently so! :)

    I've now forwarded samples to ALL developers. There really is NO place for favoritism where computer security is concerned!

    Let's see what happens when the next build of this pest is unleashed on the unwitting... :doubt:
     
  10. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,456
    This will happen :) We spotted it more than 10 hours ago.
     

    Attached Files:

    • zlob.png
      zlob.png
      File size:
      11.3 KB
      Views:
      1,268
  11. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Nice job ESET. Now all my 5 variants of Trojan.Zlob are detected while most of the AVs don't know them yet. :thumb:
    And here's another proof. :)
     

    Attached Files:

  12. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    @Marco - I don't know if you can answer this - but I'll try anyway ... [​IMG]
    Is probably a an envelope det. while the one w/o probably a sig?
     
  13. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,456
    I'm doubtful it's just a matter of the envelope, otherwise some of the other AVs would most likely report it as suspicious.
     
  14. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands
    Erm, back to the drawing board, Im afraid...

    Latest variants (samples submitted and uploaded at M-R.)

    Complete scanning result of "digikeygen_ver1.541.exe", received in VirusTotal at 06.04.2006, 10:38:01 (CET).

    Antivirus Version Update Result
    AntiVir 6.34.1.37 06.03.2006 no virus found
    Authentium 4.93.8 06.02.2006 no virus found
    Avast 4.7.844.0 06.02.2006 no virus found
    AVG 386 06.02.2006 no virus found
    BitDefender 7.2 06.04.2006 no virus found
    CAT-QuickHeal 8.00 06.03.2006 no virus found
    ClamAV devel-20060426 06.04.2006 no virus found
    DrWeb 4.33 06.04.2006 no virus found
    eTrust-InoculateIT 23.72.26 06.03.2006 no virus found
    eTrust-Vet 12.6.2240 06.02.2006 no virus found
    Ewido 3.5 06.03.2006 no virus found
    Fortinet 2.77.0.0 06.03.2006 suspicious
    F-Prot 3.16f 06.02.2006 no virus found
    Ikarus 0.2.65.0 06.02.2006 Trojan-Downloader.Win32.Zlob.ni
    Kaspersky 4.0.2.24 06.04.2006 Trojan-Downloader.Win32.Zlob.qz
    McAfee 4776 06.02.2006 no virus found
    Microsoft 1.1441 06.04.2006 no virus found
    NOD32v2 1.1577 06.04.2006 no virus found
    Norman 5.90.17 06.02.2006 no virus found
    Panda 9.0.0.4 06.03.2006 no virus found
    Sophos 4.05.0 06.03.2006 no virus found
    Symantec 8.0 06.04.2006 no virus found
    TheHacker 5.9.8.154 06.01.2006 no virus found
    UNA 1.83 06.02.2006 no virus found
    VBA32 3.11.0 06.04.2006 no virus found

    Aditional Information
    File size: 80890 bytes
    MD5: da7128a900d1c5f6b774ab3ad17b4dd1
    SHA1: 5f877e563b19f59b2277867b054f384c0df272e8


    Complete scanning result of "mediacodec-v4.541.exe", received in VirusTotal at 06.04.2006, 10:38:46 (CET).

    Antivirus Version Update Result
    AntiVir 6.34.1.37 06.03.2006 no virus found
    Authentium 4.93.8 06.02.2006 no virus found
    Avast 4.7.844.0 06.02.2006 no virus found
    AVG 386 06.02.2006 no virus found
    BitDefender 7.2 06.04.2006 no virus found
    CAT-QuickHeal 8.00 06.03.2006 no virus found
    ClamAV devel-20060426 06.04.2006 no virus found
    DrWeb 4.33 06.04.2006 Trojan.Popuper
    eTrust-InoculateIT 23.72.26 06.03.2006 no virus found
    eTrust-Vet 12.6.2240 06.02.2006 no virus found
    Ewido 3.5 06.03.2006 no virus found
    Fortinet 2.77.0.0 06.03.2006 W32/Zlob.PC!tr
    F-Prot 3.16f 06.02.2006 no virus found
    Ikarus 0.2.65.0 06.02.2006 Trojan.Favadd
    Kaspersky 4.0.2.24 06.04.2006 Trojan-Downloader.Win32.Zlob.qz
    McAfee 4776 06.02.2006 no virus found
    Microsoft 1.1441 06.04.2006 no virus found
    NOD32v2 1.1577 06.04.2006 no virus found
    Norman 5.90.17 06.02.2006 no virus found
    Panda 9.0.0.4 06.03.2006 no virus found
    Sophos 4.05.0 06.03.2006 no virus found
    Symantec 8.0 06.04.2006 no virus found
    TheHacker 5.9.8.154 06.01.2006 Trojan/Downloader.Zlob.pz
    UNA 1.83 06.02.2006 no virus found
    VBA32 3.11.0 06.04.2006 no virus found

    Aditional Information
    File size: 72229 bytes
    MD5: a036896f2a2f6ca759bebdb4619a7498
    SHA1: 359c1c7f35247d06ee527b656c34398191096908
     
  15. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    they've added a Win32/TrojanDownloader.Zlob.PI today. See if rescanning changes the result... ;)
    Edit: It's not detected...I've checked. :(
     
    Last edited: Jun 4, 2006
  16. ugly

    ugly Registered Member

    Joined:
    Mar 21, 2005
    Posts:
    276
    Location:
    Romania
    New Zlob.Sent it to eset & kaspersky.

    zlob.JPG

    Is dr.web detecting heuristicly all Zlob variants ?(Trojan.Popuper)o_O
     
  17. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    it seems yes. :D
    ESET could have take a look at those websites posted by TNT and they would have added the trojan faster. :)
     
  18. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands
    Another one:

    Complete scanning result of "mediacodec-v4.107.exe", received in VirusTotal at 06.04.2006, 13:10:47 (CET).

    Antivirus Version Update Result
    AntiVir 6.34.1.37 06.03.2006 no virus found
    Authentium 4.93.8 06.02.2006 no virus found
    Avast 4.7.844.0 06.02.2006 no virus found
    AVG 386 06.02.2006 no virus found
    BitDefender 7.2 06.04.2006 no virus found
    CAT-QuickHeal 8.00 06.03.2006 no virus found
    ClamAV devel-20060426 06.04.2006 no virus found
    DrWeb 4.33 06.04.2006 Trojan.Popuper
    eTrust-InoculateIT 23.72.26 06.03.2006 no virus found
    eTrust-Vet 12.6.2240 06.02.2006 no virus found
    Ewido 3.5 06.03.2006 no virus found
    Fortinet 2.77.0.0 06.03.2006 W32/Zlob.PC!tr
    F-Prot 3.16f 06.02.2006 no virus found
    Ikarus 0.2.65.0 06.02.2006 Trojan.Favadd
    Kaspersky 4.0.2.24 06.04.2006 no virus found
    McAfee 4776 06.02.2006 no virus found
    Microsoft 1.1441 06.04.2006 no virus found
    NOD32v2 1.1577 06.04.2006 no virus found
    Norman 5.90.17 06.02.2006 no virus found
    Panda 9.0.0.4 06.03.2006 no virus found
    Sophos 4.05.0 06.03.2006 no virus found
    Symantec 8.0 06.04.2006 no virus found
    TheHacker 5.9.8.154 06.01.2006 Trojan/Downloader.Zlob.pz
    UNA 1.83 06.02.2006 no virus found
    VBA32 3.11.0 06.04.2006 no virus found

    Aditional Information
    File size: 71953 bytes
    MD5: 564a4fd2467d21cdd4f792b0cb163231
    SHA1: a5a86a37b84c3c6275b79a6d296cd1f0817d182b
     
  19. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    it seems Dr.Web has full control on this threat. I've sent 2 of this variants today to ESET...hope an update will be cooked soon. :D
     
  20. Benvan45

    Benvan45 Registered Member

    Joined:
    Jul 27, 2004
    Posts:
    556
    Just spent hours to remove such bugger and I'm very disappointed that Nod fails on this detection!
     
  21. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    well, hopefully they detecte most of the variants....while BitDefender none. But they should also detected the latest variants, which they don't . :(
    See another example... Strange this new Zlob variants appear in week-ends when ESET is in vacation. :rolleyes:
     

    Attached Files:

  22. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands
    In fact Nod32 isn't doing badly at all on this, compared to many of the other vendors, taking into account that most of them (including Symantec, McAfee and so on) never detected even ONE of the variants submitted....

    Do remember that this one changes ALL the time. Next time it may well be Kaspersky, DrWeb, or you name it failing here with Nod32 again detecting it.
     
  23. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    yes, that's right Tony. :) They act well detecting them but they must hurry up. :D
     
  24. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,456
    IMON should protect you against TD Zlob, though I must admit there's one thing we need to adjust to block all its new variants.
     
  25. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Here's an updated one:

    codeccash.com
    emcodec.com
    emediacodec.com
    getcodecs.com
    media-codec.com
    mediacodec.net
    v-codec.com
    vcodec-download.com
    vcodec-get.com
    vcodec.com
    vcodecdownload.com
    vcodecget.com
    vcodecget.net
    vcodecobtain.com
    vcodecpull.com
    vcodecreceive.com
    vicodec.com
    vidcodec.com
    videocodecupdate.com
    vidscodec.com
    zcodec.com

    The domain vcodec.com expired and getcodecs.com is for sale. Some of the others are just empty right now (but have been distributing trojans before, and they might well start again), some are alive and well pushing trojans all over the place.

    I'll keep all those in my block list for now, though.
     
    Last edited: Jun 4, 2006
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.