A New Trojan?

./SYSTEM32/VOBLAIZDUPLA.EXE

This is the first piece of malicious software I have ever gotten and I am unable to find any information on it anywhere. I tried checking wildlist.org, kaspersy's lists, mcafee's lists, and even did a google search on the thing. All returned nothing.

It attempted to access the internet when I opened IE and ZoneAlarm gave me a popup, so I remember/denied it access. I then ran AV scan. Kaspersky detected this as a Trojan and I killed its process so it could delete the file. I also found a .pf file with this in the name and I removed that manually.

Can anyone tell me anything about this file? Is this a new trojan? If you guys know anything about it, am I safe at this point?

 

hi,

you could try uploading it at Jotti's or Virus Total to see if any AV scanners do recognise it:

http://virusscan.jotti.org/
http://www.virustotal.com/

regards, Lee

 

Thanks for the response, Lee.

Unfortunately in my haste to prevent damage I allowed KAV to delete the file. In the future should I just attempt to upload it before deleting it?

I know KAV recognized it, but whether it recognized it with signature or heuristics I guess there's no way to tell.

 

I believe that KAV will back up a file when it is deleted, you may check the back up folder to see. Then possibly submit it a jotti's.

Regards

 

I've analyzed it in the italian forum where I am.

VOBLAIZDUPLA.EXE is a trojan downloader that download a file, called parad.raw.exe from a still up webserver.

From the webserver it download a clean dll, called zlbw.dll, and some garbage files.

then a copy of parad.raw.exe is done and called taskdir.exe.

Taskdir.exe is a new variant of trojan Lager. It contains a dll embeeded, called taskdir.dll.

taskdir.dll is then "injected" in every system process. This dll has "rootkit" features, because it hide every file or directory called "taskdir" from user's eyes. (this is to hide taskdir.exe execution).

I've analyzed it and reported to antivirus companies who are adding the signature

for italian-able readers: http://www.hwupgrade.it/forum/showthread.php?t=1163140

After my report these antiviruses added signature:

Kaspersky (taskdir.exe)
Dr.Web (taskdir.exe)
Norton AV
Ewido
Antivir (one of the next updates)
avg
viruscape

 

I just finished description for it. Unfortunately it's not online yet but i can attach it here as document

 

-Uploaded attachment as a zip file- dog

It includes as well instructions and screenshots for manual cleaning of this rootkit.

 

well done Mike

Confirmed my analysis was right

 

When do you intend to start working for us?

 

joker

 

maybe start today?

 

You know my email - send your CV

 

Re: VOBLAIZDUPLA.EXE / TaskDir.Exe / TaskDir.Dll

Hi Guys

VOBLAIZDUPLA.EXE is well described at:

http://fileinfo.prevx.com/fileinfo.asp?PXC=bff115126326-VOBL12192734

Further analysis on the Prevx Research site shows that VOBLAIZDUPLA.EXE creates TaskDir.exe which in turn creates ZLBW.DLL and TaskDir.DLL.

Also, Prevx have just launched a new Hot Malicious FileInfo center. Worth trying if you want to find out details on new malicious files early on in their lifetime. It is located by Clicking the File Info Center link in the right hand panel of the home page at http://www.prevx.com.

Take Care, be safe!

 

Thanks for all this info... your findings and attachment worked great and I was able to get rid of this off of my system.

thanks Again.