Backdoor:Win32/Zonebac.gen!B NOT detected by Nod32?

Discussion in 'NOD32 version 2 Forum' started by tayray, Sep 18, 2007.

Thread Status:
Not open for further replies.
  1. tayray

    tayray Registered Member

    Joined:
    Sep 18, 2007
    Posts:
    2
    What gives?
    VirusTotal had 8 other systems that ID'ed this virus. Even the free ones.
     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,740
    Location:
    Texas
    Last edited: Sep 18, 2007
  3. tayray

    tayray Registered Member

    Joined:
    Sep 18, 2007
    Posts:
    2
    Already submitted.
    Thanks.
     
  4. Geepers

    Geepers Registered Member

    Joined:
    Sep 21, 2007
    Posts:
    1
    Re: Backdoor:Win32/Zonebac.gen!B **REMOVAL METHOD**

    RE:
    http://www.microsoft.com/security/portal/Entry.aspx?name=Backdoor:Win32/Zonebac.gen

    =========================================================================== ====
    The 'Microsoft Malicious Software Removal Tool' that specifically finds this trojan provides a text 'LOG' -
    - detailing the time of the performed scans, and displaying the 'process' of where a trojan or virus is actually located...

    It opens with Notepad under the name of: 'mrt.log' - you'll easily find this log in a
    basic Windows SEARCH for files and folders under C:\Documents and Settings...

    This trojan had the capability to 'spread' into various PID files, where via the MRT log's scanned report
    you can identify these concerned 'PID Numbered Files' to immediately decipher by way of
    the Windows Task Manager:

    http://img524.imageshack.us/img524/2662/tskmgrpidsdx9.jpg - (note the red arrows)

    Go to: RUN - enter: taskmgr

    - THEN on the MGR: go to PROCESSES, then right above to VIEW, and then to SELECT COLUMNS,
    - where you click on the box for the PID numbers to 'APPEAR'

    Running repeated scans of the tool and ONLY on normal windows start-ups did we FIND
    the infected pid files on the log. We THEN - and at each time thereafter - had to reboot
    into SAFE MODE to manually 'delete' these infected process files - and we were surprised to learn
    that it was not just ONE file infected; painstakingly booting/rebooting about 6-7 times:
    *************************************************************************
    (AN EXAMPLE - from the MRT Log):
    *****************************
    1---------------------------------------------------------------------------------------
    Microsoft Windows Malicious Software Removal Tool v1.32, August 2007
    Started On Sun Sep 02 23:15:17 2007
    Quick Scan Results:
    ----------------
    Found possible virus: Backdoor:Win32/Zonebac.gen!B in process://pid:2588
    Results Summary:
    ----------------
    Found Backdoor:Win32/Zonebac.gen!B (detected generically)
    Return code: 6
    Microsoft Windows Malicious Software Removal Tool Finished On Sun Sep 02 23:15:54 2007

    2---------------------------------------------------------------------------------------
    Microsoft Windows Malicious Software Removal Tool v1.32, August 2007
    Started On Mon Sep 03 00:43:13 2007
    Quick Scan Results:
    ----------------
    Found possible virus: Backdoor:Win32/Zonebac.gen!B in process://pid:2748
    Results Summary:
    ----------------
    Found Backdoor:Win32/Zonebac.gen!B (detected generically)
    Return code: 6
    Microsoft Windows Malicious Software Removal Tool Finished On Mon Sep 03 00:44:13 2007

    3---------------------------------------------------------------------------------------
    Microsoft Windows Malicious Software Removal Tool v1.32, August 2007
    Started On Mon Sep 03 01:01:17 2007
    Quick Scan Results:
    ----------------
    Found possible virus: Backdoor:Win32/Zonebac.gen!B in process://pid:2688
    Results Summary:
    ----------------
    Found Backdoor:Win32/Zonebac.gen!B (detected generically)
    Return code: 6
    Microsoft Windows Malicious Software Removal Tool Finished On Mon Sep 03 01:01:55 2007

    4---------------------------------------------------------------------------------------
    Microsoft Windows Malicious Software Removal Tool v1.32, August 2007
    Started On Mon Sep 03 01:21:06 2007
    Results Summary:
    ----------------
    No infection found.
    Return code: 0
    Microsoft Windows Malicious Software Removal Tool Finished On Mon Sep 03 01:21:53 2007
    //
    *************************************************************************** *************************
    **NOTE in scans 1-3 indicating 'different' PID numbers - under where it says "Quick Scan Results"

    Each reboot BACK to normal Windows 'from' SAFE MODE to check the MRT scan
    after each pid deletion - did we discover that the trojan had 'indeed' SPREAD:

    The numbered pids were infected .EXE files, where the majority of them came from
    different folders in the PROGRAM FILES - thus making certain before each major file deletion
    to COPY and SAVE each file on a flash drive...to put BACK in - if absolutely necessary
    (the saved infected files in this case - totaled about 3 MB).

    These infected .EXE files were in folders from programs such as:

    Quicktime, MusicMatch, Toshiba (our brand of PC) and Synaptics -
    - one infected file that was NOT in programs was: Microsoft's Isass.exe LSA Shell (export version).

    As far as we can tell, removing all these files did NOT disrupt our computer system now,
    nor on the programs that were associated with the deleted files;
    also these files DID NOT reoccur back into the system.

    We also ran a 'registry scrub scan' after each file deletion - basically to clear-out the
    nulled 'registry entry' that was associated with EACH removed file.

    **TIP: when searching for these identified pid files, also DELETE any other files (.PF)
    that appear associated with the NAME of the infected file, as a few of these were located in the
    Windows 'PreFetch' folder - **also SAVE these type of files before extraction.

    ..will keep you posted if any discrepencies DO at some time - occur.
     
Thread Status:
Not open for further replies.