Trojan Zlob

Don't forget hxxp://www.digikeygen.com/ ; the files hail from there as well

 

I saw that site and I didn't find any file downloads on there. Are they linked anywhere apart from the homepage, or is this from traffic analysis on an infected machine?

 

we're waiting for that thing you need to adjust.

 

I got no detection at all, neither on-demand. Statistical information has been sent a few times, but I don't know what's in that. It should be logged, but what exactly is that information? I was looking for information regarding Zlob.

Time Module Event User
4-6-2006 12:56:16 Kernel Statistical information has been sent to Eset.
4-6-2006 11:55:25 Kernel Statistical information has been sent to Eset.
4-6-2006 11:55:13 Kernel Statistical information has been sent to Eset.
3-6-2006 23:00:17 Kernel Statistical information has been sent to Eset.



Where can I find the log with the sent data?

 

See the ThreatSense help file, there's an example of the information submitted.

As for TD Zlob detection, most likely you have the HTTP scanner disabled, or it would block them automatically.

 

No, I have not disabled the HTTP scanner!

 

So you are saying that you downloaded the trojan from hxxp://media-xxxxxxx.com without IMON blockin it? Didn't you change the deafult IMON settings by disabling some options?

 

Hi!

This one is working with imon activated: www. mediacodec .net

 

I got this bugger through a website, didn't download it from hxxp://media-xxxxxxx.com, so I can't tell why and how!
I have not changed/diasabled anything at all within Imon. I wish I still had a report about this trojan when I cleaned it with Spybot. I used Ewido Micro and was detected properly, but pc blocked when trying to delete. I sure will save a log or report the next time, so everybody can see what it is.
The only thing I noticed from Nod, was the fact that Statistical information was sent, and I would love to know what the information was, as it was sent at the moment I got hit by that Trojan. You refer to a helpfile with an example of the information being sent, but what good is that gonna do? I would like to see what is sent exactly, as it should be logged......or I must be going crazy now. So, where can I find that log?

Time Module Event User
4-6-2006 12:56:16 Kernel Statistical information has been sent to Eset.
4-6-2006 11:55:25 Kernel Statistical information has been sent to Eset.
4-6-2006 11:55:13 Kernel Statistical information has been sent to Eset.

 

It's where all the "digikeygen_ver*.***.exe" files you 've seen the VT reports of hail from.

Just like most of the mediacodec files, they're infecting folks at certain p0rn sites, where people are prompted to "click this in order to obtain a password for free and easy access"

 

Here's part of the FireFox Page Info on one of these sites. As you can see you click almost ANYthing on that web page, and you're toast... LOL

 

I got hit through an online Poker Site.......too bad I don't remember which one. With the big names (Online Poker) never had any trouble.

 

Thanks. Added to my block list.

 

Trojans detected now

 

detected by what?

 

Found a new one:
hxxp://www.nvidcodec.com/getcodec/SVideoCodec4_01a.exe

New site as well (for me), so here's the updated list:

codeccash.com
digikeygen.com
emcodec.com
emediacodec.com
getcodecs.com #expired
media-codec.com
mediacodec.net
nvidcodec.com
v-codec.com
vcodec-download.com
vcodec-get.com
vcodec.com #expired
vcodecdownload.com
vcodecget.com
vcodecget.net
vcodecobtain.com
vcodecpull.com
vcodecreceive.com
vicodec.com
vidcodec.com
videocodecupdate.com
vidscodec.com
zcodec.com

NB: not all these are distributing trojans at the moment. But they have.

 

Ah, good catch!

Complete scanning result of "SVideoCodec4_01a.exe", received in VirusTotal at 06.04.2006, 17:33:45 (CET).

Antivirus Version Update Result
AntiVir 6.34.1.37 06.04.2006 no virus found
Authentium 4.93.8 06.02.2006 no virus found
Avast 4.7.844.0 06.02.2006 no virus found
AVG 386 06.02.2006 no virus found
BitDefender 7.2 06.04.2006 no virus found
CAT-QuickHeal 8.00 06.03.2006 no virus found
ClamAV devel-20060426 06.04.2006 no virus found
DrWeb 4.33 06.04.2006 no virus found
eTrust-InoculateIT 23.72.28 06.04.2006 no virus found
eTrust-Vet 12.6.2240 06.02.2006 no virus found
Ewido 3.5 06.04.2006 no virus found
Fortinet 2.77.0.0 06.03.2006 W32/Zlob.PC!tr
F-Prot 3.16f 06.02.2006 no virus found
Ikarus 0.2.65.0 06.02.2006 Trojan.Favadd
Kaspersky 4.0.2.24 06.04.2006 no virus found
McAfee 4776 06.02.2006 no virus found
Microsoft 1.1441 06.04.2006 no virus found
NOD32v2 1.1578 06.04.2006 Win32/TrojanDownloader.Zlob.PJ
Norman 5.90.17 06.02.2006 no virus found
Panda 9.0.0.4 06.04.2006 no virus found
Sophos 4.05.0 06.03.2006 no virus found
Symantec 8.0 06.04.2006 no virus found
TheHacker 5.9.8.154 06.01.2006 Trojan/Downloader.Zlob.pz
UNA 1.83 06.02.2006 no virus found
VBA32 3.11.0 06.04.2006 no virus found

Aditional Information
File size: 71953 bytes
MD5: 2f49353169fe4b7d11ad3d0919bfa478
SHA1: e83472de67cf7fb3ed0cb3fb73b4573628f0baec

 

Well that's a first, for me anyways

 

hxxp://www.digipassword.com/get/digipass_ver1.[number].exe

[number] = number from 104 to 660.

codeccash.com
digikeygen.com
digipassword.com
emcodec.com
emediacodec.com
getcodecs.com #expired
media-codec.com
mediacodec.net
nvidcodec.com
v-codec.com
vcodec-download.com
vcodec-get.com
vcodec.com #expired
vcodecdownload.com
vcodecget.com
vcodecget.net
vcodecobtain.com
vcodecpull.com
vcodecreceive.com
vicodec.com
vidcodec.com
videocodecupdate.com
vidscodec.com
zcodec.com

 

yes...now all threats are detected.
Tony, please don't post links to infected websites.

 

Great result for Nod32, but terrible for the rest, man......what is everybody gonna do??

 

they'll live...that's all. Nice indeed for NOD32

 

The log is shown in the event log, but it does not show what information has been sent and I like to know why this is. Especially in my case, when information was sent during the infection of this trojan, why can't they just log all information?

I just don't like not getting a proper answer about this logging, what good is a help file with an example gonna do? It amazes me more and more.....and I'm really beginning to think different about this whole 'Big' Nod32.

 

The detection of these Zlob trojans is GODAWFUL for most AVs. KAV, NOD32 and (somewhat suprisingly) ClamAV seem the only one to care at all.

Frankly, some of those AV vendors should be ashamed of themselves.

 

Ikarus and Fortinet are doing pretty well too.

You can only be disappointed in McAfee, Norton, and a couple of other big names.

And in Microsoft as well (bless their little hearts... LOL!)