Trojan Zlob

don't forget Dr.Web.

 

Yes, so true, but I got hit around noon today without Nod detecting anything......so.....it's just very short this party.

 

F-Prot is doing terribly. Microsoft, I expected that. Norton too.

 

hxxp://www.v-codec.com/getcodec/SVideoCodec4_01a.exe

 

It's all good here

 

Aren't you forgetting something?

 

Bridging the gap while generic detection is improved

 

and again...
With IMON correctly configured it is not possible to download these files...
Same for digikeygen.com etc...

 

Ops, sorry, I don't use NOD so I didn't know that. Good job on that though, but the signature needs to be updated anyway IMHO.

 

The internet filter needs an update actually.. Last update was in 2004.
Without that enabled, we would have been screwed...

 

I thought these were added to the list quite recently?

 

Well if they did, they forgot the update the version number...

Internet filter version: 1.002 (20040708]
Internet filter build: 1013

 

heheh
Details, details - I really don't know

 

But I like details .. awww

 

And by the way the last sample is Version 102 of this "codec".

I just took a look into it and it's easy to calculate it:

Search for "VERID" (This should be at the end of the file) After this take out the next 2 bytes ala "66 00" ---> Flip them ---> 00 66

Now start the calculator and switch into advanced mode and enter with HEX activated 66. This will result in 102 dec which represents the version number

So basically you could even add a detection which gives you the "version information" of this trojan This last 2 bytes are changed directly on the webserver before downloading - so basically it creates the version based on the URL Request

 

Hello Inspector,
Nice to hear from you

 

Hmmm... you mean the server creates the executable at the moment of the http request? Are you sure of this? I'm under the impression that these are created dynamically yes (obviously), but through a cron job or something similar, not at download time.

On a side note, this "ever changing" technique seems to be the upcoming trend in malware. New sites that keep changing malware urls every 10 minutes or something (along with the obfuscated javascript that runs the exploits). All this is clearly dynamically "scripted" on the server. See http://cut-thecrap.blogspot.com/2006/05/what-to-donet.html (it's in Italian, but it should be pretty clear). These are, in fact, probably the same people, the infamous "iframecash" scammers. I would go so far as saying that right now, given their continuous creation of fake codecs, hacking of vulnerable forums (http://isc.sans.org/diary.php?storyid=1375), blog spamming, "referer" spamming, etc, these are right now the most active and annoying (or perhaps even "dangerous") of all the malware creators around. More, they seem to be buying dozens of new domains every day.

 

Internet filter is actually the packet worm scanner - another part of IMON that serves to intgercept dangerous packets. It has nothing to do with blocking sites.

 

Well it's still old.

 

Because there's nothing to update

 

sorry to dissapoint you guys but I was able to download the file with no problem. IMON gave me no warning. Perhaps I should check Higher efficiency for FF, otherwise in Higher compatibility mode it let you download the file. So NOD should add detection for it.

 

Tell it loud...maybe ESET will hear you and add this detection faster.

 

Nope, it works in both HE and HC mode. I've just tried that url and it was blocked by IMON fine. Didn't you turn off this option in the IMON setup by chance?

 

Well, here's a screenshot....see if something's wrong... but wnyway a signature will be useful.

EDIT: Now IMON works fine....it sows me that warning about the websites being on the list of malicious websites... but what happen if the malware is on another website that NOD32 doesn't block ?

 

AFAIK - this submodule is for detection and blocking of things like automatic network worms like Slammer. I've read some documentation so suggest this.