A New Trojan?

Discussion in 'malware problems & news' started by Covenant, Mar 22, 2006.

Thread Status:
Not open for further replies.
  1. Covenant

    Covenant Registered Member

    Joined:
    Jan 27, 2006
    Posts:
    2
    ./SYSTEM32/VOBLAIZDUPLA.EXE

    This is the first piece of malicious software I have ever gotten and I am unable to find any information on it anywhere. I tried checking wildlist.org, kaspersy's lists, mcafee's lists, and even did a google search on the thing. All returned nothing.

    It attempted to access the internet when I opened IE and ZoneAlarm gave me a popup, so I remember/denied it access. I then ran AV scan. Kaspersky detected this as a Trojan and I killed its process so it could delete the file. I also found a .pf file with this in the name and I removed that manually.

    Can anyone tell me anything about this file? Is this a new trojan? If you guys know anything about it, am I safe at this point?
     
  2. rothko

    rothko Registered Member

    Joined:
    Jan 12, 2005
    Posts:
    579
    Location:
    UK
  3. Covenant

    Covenant Registered Member

    Joined:
    Jan 27, 2006
    Posts:
    2
    Thanks for the response, Lee.

    Unfortunately in my haste to prevent damage I allowed KAV to delete the file. In the future should I just attempt to upload it before deleting it?

    I know KAV recognized it, but whether it recognized it with signature or heuristics I guess there's no way to tell.
     
  4. Honyak

    Honyak Registered Member

    Joined:
    Jul 19, 2004
    Posts:
    346
    Location:
    Deep South
    I believe that KAV will back up a file when it is deleted, you may check the back up folder to see. Then possibly submit it a jotti's.

    Regards
     
  5. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    I've analyzed it in the italian forum where I am.

    VOBLAIZDUPLA.EXE is a trojan downloader that download a file, called parad.raw.exe from a still up webserver.

    From the webserver it download a clean dll, called zlbw.dll, and some garbage files.

    then a copy of parad.raw.exe is done and called taskdir.exe.

    Taskdir.exe is a new variant of trojan Lager. It contains a dll embeeded, called taskdir.dll.

    taskdir.dll is then "injected" in every system process. This dll has "rootkit" features, because it hide every file or directory called "taskdir" from user's eyes. (this is to hide taskdir.exe execution).

    I've analyzed it and reported to antivirus companies who are adding the signature ;)

    for italian-able readers: http://www.hwupgrade.it/forum/showthread.php?t=1163140

    After my report these antiviruses added signature:

    Kaspersky (taskdir.exe)
    Dr.Web (taskdir.exe)
    Norton AV
    Ewido
    Antivir (one of the next updates)
    avg
    viruscape
     
    Last edited: Mar 23, 2006
  6. Happy Bytes

    Happy Bytes Guest

    I just finished description for it. Unfortunately it's not online yet but i can attach it here as document
     
  7. Happy Bytes

    Happy Bytes Guest

    -Uploaded attachment as a zip file- dog

    It includes as well instructions and screenshots for manual cleaning of this rootkit.
     

    Attached Files:

    Last edited by a moderator: Mar 23, 2006
  8. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    well done Mike ;)

    Confirmed my analysis was right :)
     
  9. Happy Bytes

    Happy Bytes Guest

    When do you intend to start working for us?
     
  10. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
  11. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    maybe start today? :D
     
  12. Happy Bytes

    Happy Bytes Guest

    You know my email - send your CV :D
     
  13. PrevxCares

    PrevxCares Registered Member

    Joined:
    Dec 31, 2005
    Posts:
    5
    Location:
    UK
    Re: VOBLAIZDUPLA.EXE / TaskDir.Exe / TaskDir.Dll

    Hi Guys

    VOBLAIZDUPLA.EXE is well described at:

    http://fileinfo.prevx.com/fileinfo.asp?PXC=bff115126326-VOBL12192734

    Further analysis on the Prevx Research site shows that VOBLAIZDUPLA.EXE creates TaskDir.exe which in turn creates ZLBW.DLL and TaskDir.DLL.

    Also, Prevx have just launched a new Hot Malicious FileInfo center. Worth trying if you want to find out details on new malicious files early on in their lifetime. It is located by Clicking the File Info Center link in the right hand panel of the home page at http://www.prevx.com.

    Take Care, be safe!
     
  14. BeaverHunter

    BeaverHunter Registered Member

    Joined:
    Mar 25, 2006
    Posts:
    1
    Thanks for all this info... your findings and attachment worked great and I was able to get rid of this off of my system.

    thanks Again.
     
Loading...
Thread Status:
Not open for further replies.