New variant of Trojan / Downloader - Zlob - undetected by some popular AVs??

Discussion in 'other anti-virus software' started by epv888, Feb 4, 2007.

Thread Status:
Not open for further replies.
  1. epv888

    epv888 Registered Member

    Joined:
    Oct 3, 2006
    Posts:
    10
    hey guyz,

    I came across this virus / malware while scanning a friends PC using Avira PE Classic - DR/Zlob.Gen

    So just to be sure it was a legitimate virus / malware detection of Avira, i sent it to virustotal to see what other antivirus vendors come up with.

    To my surprise, only 13 out 29 av vendors detected it as a virus / malware. :eek:

    Here's the screenshot ...

    [Edit - link to Virus Total screenshot removed - Blue]

    I would be interested in reading your comments regarding this.

    Thanks
     
    Last edited by a moderator: Feb 4, 2007
  2. TAP

    TAP Registered Member

    Joined:
    Aug 17, 2004
    Posts:
    344
    In some cases, a trojan will be caught during the installation process (extraction) by some antivirus, e.g. avast! or others.
     
  3. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,497
    Location:
    British Columbia
    Aaaaaaaaah!

    A VirusTotal Screenshot!
     
  4. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Right, and it will be gone in a few seconds. Sorry epv888, you're new here so please take no offense (and welcome!).

    Just to place everyone on the same page..., VT and related screenshots are clipped unless they are focused on a specific diagnostic issue (active malware infestation, false positive, etc.) or related user-based issue. Therefore, they are removed when their only purpose is illustrating point in time comparative performance of AV's. They are removed since they have no lasting pertinence to any discussion and quickly generate a large flurry of also time dependent and quickly outdated competing posts. We're not about to play that game, period.

    As for this thread, epv888 has ably noted the situation sans post and have at it.

    Blue
     
  5. dan_maran

    dan_maran Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    1,053
    Location:
    Stamford, CT
    LOL - But oh so true!

    Atleast this time Blue explained the reasoning behind it, and thank you for that! ;)

    Now why is it not detected by all?
    Good question with no clear answer.

    It might have something to do with the NSIS installer. So many legit programs use it the chances for FP's are high, even though I do believe all AV's have no problems unpacking NSIS installers. It also has morphed quite a bit since I have followed it, such as many pieces of malware do. example: one of the first pieces had an actual stand-alone Trojan downloader inside the NSIS, but more recently the ability has been embedded inside the DLL files thus negating the need for a seperate downloader which was an easy flag.

    Just my .02
     
    Last edited: Feb 4, 2007
  6. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Most AVs have a hard time with Zlobs and other malware of this kind (slightly modified/repackaged stuff)
    Just look at CastleCops MIRT
     
  7. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    Exactly how was this detected? You didn't tell us. The screenshot would have. Since that is gone can you please tell us? Hard to make an intelligent comment otherwise.
     
  8. GES/POR

    GES/POR Registered Member

    Joined:
    Nov 26, 2006
    Posts:
    1,490
    Location:
    Armacham
    Let me guess nod didn't not detect?
     
  9. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    The explanation of those type removals has and will continue to be made on a case by case bases. Some privately to the posting member and in this case Blue used member tobacco's trolling post as a lead in to his explanation to the relatively new member epv888. For some like yourself....you were given an explanation by the owners of the Forum in this post.

    Bubba
     
  10. dan_maran

    dan_maran Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    1,053
    Location:
    Stamford, CT
    ~snip~

    I have results from scanning of files with actual exe's vice dll's both newer varients.
    The results are 9 for the exe types, and 7 for the dll types and 2 of those are only because it is packed with UPX. Just a FYI. ;)
     
    Last edited by a moderator: Feb 5, 2007
  11. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    As noted in past closed\removed threads of this type and in keeping with our position as mentioned here....these type threads are neither support issue related or helpful. If\when vendors receive said samples they will act on this item according to the priority they deem necessary. What We will not be continuing is yet another thread of who's added the item to their database and who hasn't.

    Having said that....this thread is now closed
     
Loading...
Thread Status:
Not open for further replies.