Trojan Zlob

I do hope it's not 100% automated.. Never trust those machines! ..

 

Don't know what file(s) you submitted, but all these Zlobs are actually malicious.

 

I know, but it appears to be difficult to convince the guys at Fortinet.

Maybe you could have a go at it? http://www.spywareinfoforum.com/html/emoticons/weee.gif

 

so this last Zlobs are detected after extraction?

 

Yes, they are and the archives will be as of the next update.

 

thx for the info.

 

Very informative stuff here guys and I appreciate those of you who send the samples not only to eset, but to the other vendors as well.

I think all internet users should be protected.. regardless of what antivirus software they use.

This seems like an ever evolving threat....

I will say... those of you who willingly download these samples, just to report them and make the internet world a safer place... are much braver than I.

I would be afraid I would download something that can't be reversed.

 

good job

AntiVir 6.35.0.10 06.12.2006 no virus found
Authentium 4.93.8 06.09.2006 no virus found
Avast 4.7.844.0 06.11.2006 no virus found
AVG 386 06.11.2006 no virus found
BitDefender 7.2 06.12.2006 no virus found
CAT-QuickHeal 8.00 06.10.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 06.12.2006 no virus found
DrWeb 4.33 06.11.2006 no virus found
eTrust-InoculateIT 23.72.34 06.11.2006 no virus found
eTrust-Vet 12.6.2250 06.09.2006 no virus found
Ewido 3.5 06.11.2006 no virus found
Fortinet 2.77.0.0 06.12.2006 suspicious
F-Prot 3.16f 06.09.2006 no virus found
Ikarus 0.2.65.0 06.09.2006 no virus found
Kaspersky 4.0.2.24 06.12.2006 no virus found
McAfee 4781 06.09.2006 no virus found
Microsoft 1.1441 06.12.2006 no virus found
NOD32v2 1.1593 06.12.2006 Win32/TrojanDownloader.Zlob.RJ
Norman 5.90.21 06.09.2006 no virus found
Panda 9.0.0.4 06.11.2006 Suspicious file
Sophos 4.06.0 06.12.2006 no virus found
Symantec 8.0 06.12.2006 no virus found
TheHacker 5.9.8.158 06.12.2006 no virus found
UNA 1.83 06.09.2006 no virus found
VBA32 3.11.0 06.11.2006 no virus found

Additional Information
File size: 88425 bytes
MD5: 2e9afafd821fd5182d6df3d7767e32b2
SHA1: d38d4f8382e171e6f7eff7192f5cb28516ff56bc

 

Scanning the latest - very nice!

 

indeed, Tony! Nice job now!

 

Yup, another one here; only Nod32 achieves positive detection :

*****codec.net/v4/mediacodec-v4.207.exe

Complete scanning result of "mediacodec-v4.207.exe", received in VirusTotal at 06.12.2006, 15:32:34 (CET).

CAT-QuickHeal 8.00 06.12.2006 (Suspicious) - DNAScan
Fortinet 2.77.0.0 06.12.2006 suspicious
NOD32v2 1.1594 06.12.2006 Win32/TrojanDownloader.Zlob.RM
Panda 9.0.0.4 06.12.2006 Suspicious file

 

I'm doubtful whether these links comply with TOS. I for one think ...v4/mediacodec-v4.207.exe would be enough.

 

Changed

 

*.exe would be enough. Just joking.

 

Time for a new one, guys (mediacodec.net).

 

Three latest variants, this time only identified by their MD5 hash.

More work to do, it would seem, files submitted...

1st file:

 

Second file:

 

3d one:

 

Here we go again...

http://img110.imageshack.us/img110/7788/immagine9co.gif

 

the new one is detected. ...and also those posted by Tony.

 

and this one ....

 

This was the result from 11.20, almost 1,5 hour ago:

AntiVir 6.35.0.10 06.13.2006 no virus found
Authentium 4.93.8 06.12.2006 no virus found
Avast 4.7.844.0 06.11.2006 no virus found
AVG 386 06.12.2006 no virus found
BitDefender 7.2 06.13.2006 no virus found
CAT-QuickHeal 8.00 06.12.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 06.12.2006 no virus found
DrWeb 4.33 06.13.2006 no virus found
eTrust-InoculateIT 23.72.35 06.13.2006 no virus found
eTrust-Vet 12.6.2253 06.13.2006 no virus found
Ewido 3.5 06.13.2006 no virus found
Fortinet 2.77.0.0 06.13.2006 suspicious
F-Prot 3.16f 06.12.2006 no virus found
Ikarus 0.2.65.0 06.12.2006 no virus found
Kaspersky 4.0.2.24 06.13.2006 no virus found
McAfee 4782 06.12.2006 no virus found
Microsoft 1.1441 06.13.2006 no virus found
NOD32v2 1.1596 06.13.2006 Win32/TrojanDownloader.Zlob.RR
Norman 5.90.21 06.12.2006 no virus found
Panda 9.0.0.4 06.12.2006 Suspicious file
Sophos 4.06.0 06.13.2006 no virus found
Symantec 8.0 06.13.2006 no virus found
TheHacker 5.9.8.158 06.12.2006 no virus found
UNA 1.83 06.09.2006 no virus found
VBA32 3.11.0 06.12.2006 no virus found

 

Everyone talking how better is NOD32 with its AH and it's reaction times than KAV... But has anyone actually tried these against PDM ? I think not...

 

you could try them if you like.
I can give you my collection of Zlob variants (about 46) and you may test it. I currently don't have KAV installed on my computer.

 

I don't think KAV's PDM detects Zlob variants (atleast with the sample a tried - mediacodec-v4.107.exe). Only PDM was active (no other modules)(everything except ACI). I receieved no promts from KAV, but the threat was already detected by the realtime scanner.

I'm willing to try with more samples.