Discussion in 'NOD32 version 2 Forum' started by clique, Apr 11, 2006.
is it an fp or the codec is?. cannot download.
Can you copy to Quarantine and submit for analysis to Eset.
This is not a codec, it's a trojan. Avoid all these domains:
These contain all fake codecs. They are NOT codecs, they are all trojans.
man that's are dangerous
Are you all sure that it is not an fp?
Here is the results from Jotti's.
Jotti must have NOD setup incorrectly?
NOD detects here but not on Jotti's scan?
D:\Documents and Settings\Administrator\My
Documents\SVideoCodec4_01a.exe »NSIS »ecodec.exe - probably a variant of
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
Packers detected: UPX, PE_PATCH, UPACK
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found Trojan.Favadd
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found Trojan-Notifier.Win32.Zlob.d, Trojan-Downloader.Win32.Zlob.kz
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found Trojan.Favadd
It does seem a bit suspicious that the "official" site of the "Stream Video Codec" would have no information at all about the codec, about the people involved, or even how to encode audio and video with it. Wouldn't you say?
I've noticed it many times that a file was not recognized by NOD32 at Jottis' though it actually was by my NOD32. When I uploaded it again, it was recognized. Pretty odd.
Date: 04/12/2006 00:55:38 (CET)
AntiVir 188.8.131.52/20060411 found nothing
Avast 4.6.695.0/20060403 found nothing
AVG 386/20060412 found nothing
Avira 184.108.40.206/20060411 found nothing
BitDefender 7.2/20060412 found nothing
CAT-QuickHeal 8.00/20060411 found nothing
ClamAV devel-20060202/20060411 found nothing
DrWeb 4.33/20060412 found [Trojan.Favadd]
eTrust-InoculateIT 23.71.126/20060411 found nothing
eTrust-Vet 12.4.2158/20060411 found nothing
Ewido 3.5/20060411 found nothing
Fortinet 220.127.116.11/20060412 found [suspicious]
F-Prot 3.16c/20060411 found nothing
Ikarus 0.2.59.0/20060411 found nothing
Kaspersky 18.104.22.168/20060412 found nothing
McAfee 4738/20060411 found nothing
NOD32v2 1.1483/20060411 found [probably a variant of Win32/TrojanDownloader.Zlob.KT ]
Norman 5.90.15/20060411 found nothing
Panda 22.214.171.124/20060411 found [Suspicious file]
Sophos 4.04.0/20060411 found nothing
Symantec 8.0/20060411 found nothing
TheHacker 126.96.36.199/20060411 found nothing
UNA 1.83/20060411 found nothing
VBA32 3.10.5/20060411 found nothing
One question I have is, how did you find out about this? Did somebody in particular tell you to download this software in order to play a certain movie file? Or are you wanting to play a certain type of movie, and you arrived at this site via Google search?
Viola, the vendor insists on removing detection of the Zlob trojan, though the threat actually fullfils all criteria for malware:
- installs itself to the program files folder (actually, codec.exe is finally removed by the installer and only uninstaller remains the folder after installation)
- copies dfrgsrv.exe and ld4F9E.tmp to the SYSTEM32 folder (not removed by the uninstaller)
- the exe file registers itself to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\wininet.dll
- dfrgsrv.exe injects into the winlogon.exe process to hide away, so it's invisible and cannot be deleted
The question is when we can expect the author of Mydoom to remove detection for this famous worm?
Finally all antiviruses removed signature detection
Then why the new variant being spread is still detected by one famous AV besides NOD32
Separate names with a comma.