EAV 3.0 fails to detect Win32.Vundo.IG

Discussion in 'ESET NOD32 Antivirus' started by cowwoc, Aug 31, 2008.

Thread Status:
Not open for further replies.
  1. cowwoc

    cowwoc Registered Member

    Joined:
    Jun 1, 2008
    Posts:
    20
    I just got infected by the following viruses:

    Win32/Vundo.gen!X
    Win32/Vundo.IG
    Win32/Vapsup
    Win32/Zlob.gen!GV
    Win32/Zlob.gen!GW

    Nod32 v3 seems to have let them through and Windows Defender caught them. It didn't do a great job removing them, however, and I had to remove some registry keys manually otherwise I get an error message every boot up about missing DLLs.

    Long story short, can someone at NOD32 please double check you detect the above viruses properly?

    Thank you.
     
  2. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    Quick question to a long story. Did you forward the samples you detected to Eset?
     
  3. cowwoc

    cowwoc Registered Member

    Joined:
    Jun 1, 2008
    Posts:
    20
    No... and I've already deleted them. Damnit :(

    I'm sorry, it didn't occur to me at the time. I was too preoccupied with trying to figure out how to remove them off my system.
     
  4. cowwoc

    cowwoc Registered Member

    Joined:
    Jun 1, 2008
    Posts:
    20
    I finally managed to grab a copy of these two. The virus came back somehow. Anyway here is what I've got from Windows Defender:


    TrojanDownloader:Win32/Zlob.gen!GW

    Category:
    Trojan Downloader

    Description:
    This program has potentially unwanted behavior.

    Advice:
    Review the alert details to see why the software was detected. If you do not like how the software operates or if you do not recognize and trust the publisher, consider blocking or removing the software.

    Resources:
    file:
    C:\Windows\dgksvbpn.dll

    shellserviceobjectdelayload:
    HKLM\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS\CURRENTVERSION\SHELLSERVICEOBJECTDELAYLOAD\\dgksvbpn

    regkey:
    HKLM\Software\Classes\Wow6432Node\CLSID\{12661BE6-0763-44BB-8C7D-BD3F165CC56B}

    regkey:
    HKLM\SOFTWARE\CLASSES\Wow6432Node\CLSID\{D638FBF5-53D3-4930-981D-D70EBA5233C8}

    regkey:
    HKLM\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS\CURRENTVERSION\SHELLSERVICEOBJECTDELAYLOAD\\dgksvbpn

    clsid:
    HKLM\Software\Classes\Wow6432Node\CLSID\{12661BE6-0763-44BB-8C7D-BD3F165CC56B}

    clsid:
    HKLM\SOFTWARE\CLASSES\Wow6432Node\CLSID\{D638FBF5-53D3-4930-981D-D70EBA5233C8}

    View more information about this item online




    TrojanDownloader:Win32/Zlob.gen!GV

    Category:
    Trojan Downloader

    Description:
    This program has potentially unwanted behavior.

    Advice:
    Review the alert details to see why the software was detected. If you do not like how the software operates or if you do not recognize and trust the publisher, consider blocking or removing the software.

    Resources:
    file:
    C:\Windows\xrdwbfgn.dll

    shellserviceobjectdelayload:
    HKLM\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS\CURRENTVERSION\SHELLSERVICEOBJECTDELAYLOAD\\xrdwbfgn

    regkey:
    HKLM\Software\Classes\Wow6432Node\CLSID\{0B34BE54-2BEC-47DF-9294-A9DC8F6CE3A1}

    regkey:
    HKLM\SOFTWARE\CLASSES\Wow6432Node\CLSID\{28D7F866-1BFA-45D1-8300-D33912A9CBF7}

    regkey:
    HKLM\SOFTWARE\CLASSES\Wow6432Node\CLSID\{8083A4F5-24B0-4DF4-BF78-F636850C92E5}

    regkey:
    HKLM\SOFTWARE\CLASSES\Wow6432Node\CLSID\{E2221736-51EA-4E07-94DD-20C6A0556FF8}

    regkey:
    HKLM\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS\CURRENTVERSION\SHELLSERVICEOBJECTDELAYLOAD\\xrdwbfgn

    clsid:
    HKLM\Software\Classes\Wow6432Node\CLSID\{0B34BE54-2BEC-47DF-9294-A9DC8F6CE3A1}

    clsid:
    HKLM\SOFTWARE\CLASSES\Wow6432Node\CLSID\{28D7F866-1BFA-45D1-8300-D33912A9CBF7}

    clsid:
    HKLM\SOFTWARE\CLASSES\Wow6432Node\CLSID\{8083A4F5-24B0-4DF4-BF78-F636850C92E5}

    clsid:
    HKLM\SOFTWARE\CLASSES\Wow6432Node\CLSID\{E2221736-51EA-4E07-94DD-20C6A0556FF8}

    View more information about this item online


    You can download a copy of the viruses from here: A link to potential malware removed

    Please let me know when you finish downloading a copy.
     
    Last edited by a moderator: Sep 3, 2008
  5. De Hollander

    De Hollander Registered Member

    Joined:
    Sep 10, 2005
    Posts:
    718
    Location:
    Windmills and cows
    Posting links to potential malware here is against TOS. Please remove link ;)
     
  6. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    Run the combined tools of
    MalwareBytes
    SuperAntispyware
    Spybot Search and Destroy 1.6

    Those 3 tools have been great at fully removing the infections we've run across.
     
  7. cowwoc

    cowwoc Registered Member

    Joined:
    Jun 1, 2008
    Posts:
    20
    I'll try. These viruses keep on coming back every 2-3 reboots even if I scan my entire HD for viruses. I can't figure out where they're hiding in the registry. I'll try the 3 tools you've mentioned and hopefully they'll find something NOD32, Windows Defender did not.
     
  8. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    So have you done so this time?
     
  9. cowwoc

    cowwoc Registered Member

    Joined:
    Jun 1, 2008
    Posts:
    20
    I just sent it out now. I found a third virus that was not detected by NOD32, Windows Defender or any of the above adware removers. I sent that along to NOD32 as well.

    I'm going to try removing the 3rd by hand now. Hopefully this nightmare will finally end.
     
  10. The PIT

    The PIT Registered Member

    Joined:
    Sep 4, 2008
    Posts:
    185

    Looks like you got some dodgy web Browsing habits or just plain unlucky.
    Vundo uses a flaw in Java and I wouldn't be surprised that it's still there if you haven't updated Java and it 's bringing it's buddies back.

    Also disable system restore as it hides in there and comes straight back. In some cases it won't let you disable system restore which is fun.
     
  11. cowwoc

    cowwoc Registered Member

    Joined:
    Jun 1, 2008
    Posts:
    20
    That is odd because I use FireFox and Java 6 update 10 (the latest). I do have an older JDK 1.5 installation on this machine but it isn't the default JRE.

    Anyway it's been one day and so far it hasn't come back yet. I'll know more by the end of the week...
     
  12. The PIT

    The PIT Registered Member

    Joined:
    Sep 4, 2008
    Posts:
    185
    There you go sometimes the older one gets activated.
    Vundo causes groans at work when we find it. Sometime sit comes off straight away others it comes back.

    Another good way of cleaning is too use Bartpe and scan from there. Since the processors aren't running they can't hide themselves so easily.
     
  13. cowwoc

    cowwoc Registered Member

    Joined:
    Jun 1, 2008
    Posts:
    20
    What bugs me about all of this is that I've yet to see a technical explanation of the Java vulnerability in the first place. From what I gather it is some sort of flaw in the way their auto-update mechanism worked which implies that it doesn't matter if the JDK was the system default or not, but unless I can find more information I won't know for sure. For now I am uninstalling JDK 5 and will stick with version 6. I guess that's one to ensure users upgrade :)
     
  14. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    I take it COWWOC that you know about Virus Total and Jotti's.
     
  15. cowwoc

    cowwoc Registered Member

    Joined:
    Jun 1, 2008
    Posts:
    20
    Very cool services. Thanks! It seems that only 25% of anti-virus scanners detect the viruses I had (ESET isn't one of them). Out of the 3 items I sent to ESET it looks like one has been added to their latest virus dictionary. Hopefully the other 2 will be added soon.

    Gili
     
  16. cowwoc

    cowwoc Registered Member

    Joined:
    Jun 1, 2008
    Posts:
    20
    Well, it's been a few days now and the virus hasn't come back. Yay! :)

    Thanks guys!
     
  17. cowwoc

    cowwoc Registered Member

    Joined:
    Jun 1, 2008
    Posts:
    20
    On a related note, is there a way to remove System Protected Files? I've got over 6000 files in C:\windows\winsxs\temp\PendingRenames and they don't go away after reboot as they should. I can delete these files but then "sfc /scannow" regenerates them.

    How can I remove them permanently?
     
  18. hex_614

    hex_614 Registered Member

    Joined:
    Jul 17, 2008
    Posts:
    155
    Location:
    Manila, Philippines
    use a behavior blocker such as TF or Norton Antibot
     
Thread Status:
Not open for further replies.