Trojan Zlob

btw, here's the updated result for the latest variant. NOd32 detects it

 

Check the miscellaneous tab for IMON. At the bottom of the screen one finds a check box for website access blocking. It is clear that this DOES work when it is not unchecked. Someone that collects samples will likely have it disabled.

 

New addresses:
codecmania.com
lastcodec.com
modecodec.com
my-codec.com
my-homemade.com
your-codec.com

Listing:
codecmania.com
codeccash.com
digikeygen.com
digipassword.com
emcodec.com
emediacodec.com
getcodecs.com #expired
lastcodec.com
media-codec.com
mediacodec.net
modecodec.com
my-codec.com
my-homemade.com
nvidcodec.com
v-codec.com
vcodec-download.com
vcodec-get.com
vcodec.com #expired
vcodecdownload.com
vcodecget.com
vcodecget.net
vcodecobtain.com
vcodecpull.com
vcodecreceive.com
vicodec.com
vidcodec.com
videocodecupdate.com
vidscodec.com
your-codec.com
zcodec.com

hxxp://www.my-codec.com/download/VCodec_v0.0.1.exe

 

It's still amazing how few scanners are able to tackle that 'very nasty bugger'.!

 

amazes me how many variants there are and how quickly they are appearing. maybe it shouldnt really amaze me, maybe annoy me is a better way of putting it. either way i'm glad eset are on the ball with them!

oh look, update 1.1584 has even more of them....

 

and another proof. Good work ESET

 

Even AVG is on the ball......!!

 

there are always mistakes my friend. (joking. )

 

Annoying it is for sure!

 

i see advanced heuristics were 'tweaked' yesterday too, wonder if it had anything to do with Zlobs

 

it might have. Maybe Marcos will tell us.
Btw, the last proof.

 

actually just noticed AH were updated in todays 1.1584 update, not yesterday

 

New site: imediacodec.com

codecmania.com
codeccash.com
digikeygen.com
digipassword.com
emcodec.com
emediacodec.com
getcodecs.com #expired
imediacodec.com
lastcodec.com
media-codec.com
mediacodec.net
modecodec.com
my-codec.com
my-homemade.com
nvidcodec.com
v-codec.com
vcodec-download.com
vcodec-get.com
vcodec.com #expired
vcodecdownload.com
vcodecget.com
vcodecget.net
vcodecobtain.com
vcodecpull.com
vcodecreceive.com
vicodec.com
vidcodec.com
videocodecupdate.com
vidscodec.com
your-codec.com
zcodec.com

 

oh, my God! This list is getting bigger and bigger.
There are some Porn websites containing them, but of course we can't post them here.

 

Well that's nice to know haha

 

And a new one, file submitted to all concerned...

Complete scanning result of "SVideoCodec3_0.exe", received in VirusTotal at 06.07.2006, 22:22:23 (CET).

Antivirus Version Update Result
AntiVir 6.34.1.37 06.07.2006 no virus found
Authentium 4.93.8 06.07.2006 no virus found
Avast 4.7.844.0 06.06.2006 no virus found
AVG 386 06.07.2006 Downloader.Zlob.AOJ
BitDefender 7.2 06.07.2006 no virus found
CAT-QuickHeal 8.00 06.07.2006 no virus found
ClamAV devel-20060426 06.07.2006 no virus found
DrWeb 4.33 06.07.2006 no virus found
eTrust-InoculateIT 23.72.30 06.07.2006 no virus found
eTrust-Vet 12.6.2246 06.07.2006 no virus found
Ewido 3.5 06.07.2006 no virus found
Fortinet 2.77.0.0 06.07.2006 W32/Zlob.PC!tr
F-Prot 3.16f 06.06.2006 no virus found
Ikarus 0.2.65.0 06.07.2006 Trojan.Favadd
Kaspersky 4.0.2.24 06.07.2006 no virus found
McAfee 4779 06.07.2006 no virus found
Microsoft 1.1441 06.07.2006 no virus found
NOD32v2 1.1584 06.07.2006 no virus found
Norman 5.90.17 06.07.2006 no virus found
Panda 9.0.0.4 06.07.2006 no virus found
Sophos 4.06.0 06.07.2006 no virus found
Symantec 8.0 06.07.2006 no virus found
TheHacker 5.9.8.156 06.07.2006 no virus found
UNA 1.83 06.06.2006 no virus found
VBA32 3.11.0 06.07.2006 no virus found

Aditional Information
File size: 72649 bytes
MD5: fc22dcdbffa5696eb68f1b40759c5557
SHA1: 35621181fb62414edd91ff0c8c3a1cf1224117e6

 

... and the party goes on.

 

wow ... stupid trojan die!

 

Yeah, but image how much fun this must be for the companies who make legitimate software of this kind.

 

yeah...strange nobody could actually make a working heuristic engine for those nasties...

 

AVG kicking ass. Never though I'd say that.

 

Are you sure?

 

Cheating!

 

Is this just in F-Prot 6 or in version 3 as well? 'Cause man, it's been a little painful to see it miss all these trojans these days. Not that I feared for myself, but some people at work, you know, they are funny kids, you never know what they're gonna do when surfing.

 

v3 as well (Jotti uses v3) but there were several workarounds which i had to make to have it compatible with v3 without updating the full engine. In v3 this detection is splitted into proper Variant detections now, meaning this will really only flag if its MediaCodec Based. The other (different) types like VCodec will be added tomorrow between my lunch break when i have some time.