Istbar Trojan

Hi Guys,

i was just testing out arcavir so i performed an online scan. It turned out that my c was clean.
Then,
I downloaded KAV personal 2006 and without tweaking any settings i started scanning...
It detected the Istbar downloader ( trojan ) and also indicated the location. I traced the file and right-clicked scan with NOD.
Nothing found...

Scanned again with KAV and there it was...Strange....

 

And send it to ESET too

 

Didnt think of that...
Deleted already...

 

Do you have NOD32 set to detect Adware/Spyware/Riskware? If you do, and it is still slipping through, try submitting the file to Eset.

 

NOD is full blown. Using NOD for a year now. Still keeping the faith but i remember seein the file before. Performed several scans since then.

Data was called if it helps.

 

VIRUS LIST EXPLANATION

 

Recovered the file.
Can someone direct me on how can i submit the file to ESET and KAV?

 

Screenshot

 

From the title of your thread and the link you provided @ virus list causes me to ask and not assume wrongly....do have yesterdays update ?

 

NOD32 does detect variants of Istbar: http://www.nod32.com/support/info.htm#CurVersion

 

In Nod32
Open the Control Center-> nod32 system tools -> quarantine, click on the button Add. You will add a copy in quarantine.
then select the file, and click on the button 'Submit for analysis'
OR
create a zip file with it inside, a password protected zip, password= 'infected', and send it to sample@nod32

 

sTILL NO ANSWER OR DETECTION SIGNATURE BY ESET....

 

I had this same problem a few weeks back. I did a scan with NOD and it found nothing, but I also did one with Panda online scanner and it found this Trojan in my Opera temp internet files folder. So I simply deleted the entire contents of the folder and rescanned. The scan with NOD was setup to detect everything with all options full on.

 

I have many samples that other AV detect as a threat, but when run come back as an "Invalid Win32 application" (i.e. non-functional sample). One may think that it is a file that should not be there. On the other hand, adding broken (non-functional) signatures also creates more false positives. I would rather have less false positives than less non-functional files.

 

Here it is.
It is in a normal file, no temp...

 

Win32/TrojanDownloader.IstBar.KC added to the database today

 

During weekends, you should'nt expect any reply from Eset.
They did however add it to the signature db today.
http://www.eset.sk/support/info.htm#CurVersion

 

Keep good work ESET.signature db always update day by day.feel very protected

 

Also, let's not forget that this dangerous 'trojan' is actually *just* an adware downloader, not a real Remote Administration Tool....

ESET are doing great!

Also, a few days ago I submitted a new threat submitted by a poster at this board, a file called svchelper.exe.

VirusTotal Results:


AntiVir 6.31.0.9 07.09.2005 no virus found
AVG 718 07.08.2005 no virus found
Avira 6.31.0.9 07.09.2005 no virus found
BitDefender 7.0 07.10.2005 no virus found
ClamAV devel-20050501 07.08.2005 no virus found
DrWeb 4.32b 07.10.2005 no virus found
eTrust-Iris 7.1.194.0 07.10.2005 no virus found
eTrust-Vet 11.9.1.0 07.08.2005 no virus found
Fortinet 2.36.0.0 07.09.2005 no virus found
Ikarus 2.32 07.08.2005 no virus found
Kaspersky 4.0.2.24 07.10.2005 no virus found
McAfee 4531 07.08.2005 no virus found
NOD32v2 1.1164 07.08.2005 probably unknown NewHeur_PE virus
Norman 5.70.10 07.07.2005 no virus found
Panda 8.02.00 07.10.2005 no virus found
Sybari 7.5.1314 07.10.2005 no virus found
Symantec 8.0 07.09.2005 no virus found
TheHacker 5.8.2.069 07.10.2005 no virus found
VBA32 3.10.4 07.10.2005 no virus found

I subsequently submitted it to a number of developers, and Sophos are now adding it as W32/Monkbd-A, Kaspersky as Backdoor.Win32.RBot.uj

ESET are now calling it Win32/VB.NAN

But remember they were the ONLY one to actually recognize it as malware before anyone had seen it ! http://malware-research.co.uk/Smileys/default/yeah.gif