Istbar Trojan

Discussion in 'NOD32 version 2 Forum' started by DON23, Jul 8, 2005.

Thread Status:
Not open for further replies.
  1. DON23

    DON23 Registered Member

    Joined:
    May 24, 2005
    Posts:
    34
    Location:
    ATLANTIS
    Hi Guys,

    i was just testing out arcavir so i performed an online scan. It turned out that my c was clean.
    Then,
    I downloaded KAV personal 2006 and without tweaking any settings i started scanning...
    It detected the Istbar downloader ( trojan ) and also indicated the location. I traced the file and right-clicked scan with NOD.
    Nothing found...

    Scanned again with KAV and there it was...Strange....
     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,794
    Location:
    Texas
    Send it to KAV and get an analysis.
     
  3. zashita

    zashita Registered Member

    Joined:
    May 17, 2005
    Posts:
    309
    And send it to ESET too :)
     
  4. DON23

    DON23 Registered Member

    Joined:
    May 24, 2005
    Posts:
    34
    Location:
    ATLANTIS
    Didnt think of that...
    Deleted already...
     
  5. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    Do you have NOD32 set to detect Adware/Spyware/Riskware? If you do, and it is still slipping through, try submitting the file to Eset.
     
  6. DON23

    DON23 Registered Member

    Joined:
    May 24, 2005
    Posts:
    34
    Location:
    ATLANTIS
    NOD is full blown. Using NOD for a year now. Still keeping the faith but i remember seein the file before. Performed several scans since then.

    Data was called if it helps.
     
  7. DON23

    DON23 Registered Member

    Joined:
    May 24, 2005
    Posts:
    34
    Location:
    ATLANTIS
  8. DON23

    DON23 Registered Member

    Joined:
    May 24, 2005
    Posts:
    34
    Location:
    ATLANTIS
    Recovered the file.
    Can someone direct me on how can i submit the file to ESET and KAV?
     
  9. DON23

    DON23 Registered Member

    Joined:
    May 24, 2005
    Posts:
    34
    Location:
    ATLANTIS
    Screenshot
     

    Attached Files:

  10. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    From the title of your thread and the link you provided @ virus list causes me to ask and not assume wrongly....do have yesterdays update ? :doubt:
     
    Last edited: Jul 8, 2005
  11. rothko

    rothko Registered Member

    Joined:
    Jan 12, 2005
    Posts:
    579
    Location:
    UK
  12. zashita

    zashita Registered Member

    Joined:
    May 17, 2005
    Posts:
    309
    In Nod32
    Open the Control Center-> nod32 system tools -> quarantine, click on the button Add. You will add a copy in quarantine.
    then select the file, and click on the button 'Submit for analysis'
    OR
    create a zip file with it inside, a password protected zip, password= 'infected', and send it to sample@nod32
     
  13. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,794
    Location:
    Texas
    To submit to Eset, hit quarantine in the tray icon, and then, submit.

    KAV: zip it up and put it in a password protected zip file. Password being "infected".

    newvirus @ kaspersky.com
     
  14. DON23

    DON23 Registered Member

    Joined:
    May 24, 2005
    Posts:
    34
    Location:
    ATLANTIS
    sTILL NO ANSWER OR DETECTION SIGNATURE BY ESET....
     
  15. I had this same problem a few weeks back. I did a scan with NOD and it found nothing, but I also did one with Panda online scanner and it found this Trojan in my Opera temp internet files folder. So I simply deleted the entire contents of the folder and rescanned. The scan with NOD was setup to detect everything with all options full on.
     
  16. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,794
    Location:
    Texas
    You wouldn't happen to have the full name of the trojan that was detected would you?

    If so, would you mind posting it here? :)
     
  17. rumpstah

    rumpstah Registered Member

    Joined:
    Mar 19, 2003
    Posts:
    486
    I have many samples that other AV detect as a threat, but when run come back as an "Invalid Win32 application" (i.e. non-functional sample). One may think that it is a file that should not be there. On the other hand, adding broken (non-functional) signatures also creates more false positives. I would rather have less false positives than less non-functional files.
     
  18. DON23

    DON23 Registered Member

    Joined:
    May 24, 2005
    Posts:
    34
    Location:
    ATLANTIS
    Here it is.
    It is in a normal file, no temp...
     

    Attached Files:

    Last edited by a moderator: Jul 11, 2005
  19. rothko

    rothko Registered Member

    Joined:
    Jan 12, 2005
    Posts:
    579
    Location:
    UK
    Win32/TrojanDownloader.IstBar.KC added to the database today :)
     
  20. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
  21. shamsay

    shamsay Registered Member

    Joined:
    May 15, 2005
    Posts:
    24
    Keep good work ESET.:)signature db always update day by day.feel very protected :)
     
  22. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Also, let's not forget that this dangerous 'trojan' is actually *just* an adware downloader, not a real Remote Administration Tool....

    ESET are doing great!

    Also, a few days ago I submitted a new threat submitted by a poster at this board, a file called svchelper.exe.

    VirusTotal Results:


    AntiVir 6.31.0.9 07.09.2005 no virus found
    AVG 718 07.08.2005 no virus found
    Avira 6.31.0.9 07.09.2005 no virus found
    BitDefender 7.0 07.10.2005 no virus found
    ClamAV devel-20050501 07.08.2005 no virus found
    DrWeb 4.32b 07.10.2005 no virus found
    eTrust-Iris 7.1.194.0 07.10.2005 no virus found
    eTrust-Vet 11.9.1.0 07.08.2005 no virus found
    Fortinet 2.36.0.0 07.09.2005 no virus found
    Ikarus 2.32 07.08.2005 no virus found
    Kaspersky 4.0.2.24 07.10.2005 no virus found
    McAfee 4531 07.08.2005 no virus found
    NOD32v2 1.1164 07.08.2005 probably unknown NewHeur_PE virus
    Norman 5.70.10 07.07.2005 no virus found
    Panda 8.02.00 07.10.2005 no virus found
    Sybari 7.5.1314 07.10.2005 no virus found
    Symantec 8.0 07.09.2005 no virus found
    TheHacker 5.8.2.069 07.10.2005 no virus found
    VBA32 3.10.4 07.10.2005 no virus found

    I subsequently submitted it to a number of developers, and Sophos are now adding it as W32/Monkbd-A, Kaspersky as Backdoor.Win32.RBot.uj

    ESET are now calling it Win32/VB.NAN

    But remember they were the ONLY one to actually recognize it as malware before anyone had seen it ! http://malware-research.co.uk/Smileys/default/yeah.gif
     
Thread Status:
Not open for further replies.