Trojan Zlob

Discussion in 'NOD32 version 2 Forum' started by ugly, May 27, 2006.

Thread Status:
Not open for further replies.
  1. ugly

    ugly Registered Member

    Joined:
    Mar 21, 2005
    Posts:
    276
    Location:
    Romania
    A new variant of Trojan.Zlob.
    Again a "mediacodec" you "need".:eek:
    Send it to eset and kaspersky.

    new.JPG

    Hope all vendors will add signatures soon !:ninja:
     
  2. ASpace

    ASpace Guest

  3. ugly

    ugly Registered Member

    Joined:
    Mar 21, 2005
    Posts:
    276
    Location:
    Romania
  4. ASpace

    ASpace Guest


    You mean you sent it already . Thanks , by the way :) Me also sorry for misunderstanding . Nice evening (night) !:D
     
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    So you are actually just pretending to be a NOD32 reseller :D
     
  6. ugly

    ugly Registered Member

    Joined:
    Mar 21, 2005
    Posts:
    276
    Location:
    Romania
    A few moments ago ...



    zlob.JPG
     
  7. ASpace

    ASpace Guest


    What exactly do you mean with this ? I am not pretending , I am . Here in Bulgaria we call it NOD32 Authorised representer and I am exactly this ;)
     
  8. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    it seems to be a dropper, ugly! Perhaps that's why ESET is so slow...and additionally it may contain unkown packers for NOD32 and after unpacking it might be detected....
    Strange Marcos didn't say a word about it... and if my variants above are not true it's very sad NOD32 is so "fast" :(
     
  9. ASpace

    ASpace Guest


    About the packers , see the first post :)
     
  10. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    I've seen them already, but I don't know exactly whether they are supported by NOD or not.... Additionally I've made a little reasearch and Avira detects it since 3 May. :eek:
     
  11. ASpace

    ASpace Guest


    I also don't know if they are supported. I personally don't worry .It would be nice if ugly can submit them in non-packer variants just to see but it is dangeorous that way . I hope someone from ESET reply soon
     
  12. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    Zlobs breed faster than rabbits!
     
  13. i_kenefick

    i_kenefick Registered Member

    Joined:
    Nov 29, 2005
    Posts:
    135
    Location:
    Cork, Ireland.
    yeah - they upload new modification even before some of the big guys add detection for the existing one.
     
  14. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Here's a rare picture of one. :D
     

    Attached Files:

    • Zlob.jpg
      Zlob.jpg
      File size:
      38.4 KB
      Views:
      3,421
  15. ASpace

    ASpace Guest

    What a lovely evil Zlobby :D
     
  16. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Slightly off topic, but as I now may have your attention, Marcos:

    I'm a happy Nod32 user myself, and I appreciate you guys must be extremely busy and possibly even hugely understaffed, but I have to say one doesn't very often get any feedback when sending new stuff.
    Really, even an automated response to tell the poster the file was received would already be a huge improvement; the way it is now one really has no way of knowing if the file has even been received at all...

    Some other developers DO appear to understand that. There's something very satisfying about hearing something like:

    "New malware was found in the attached file and detection will be added in the next update"

    It helps to reassure your user base that they're being taken seriously.

    I really think you should give this some thought. :thumb:
     
    Last edited: May 28, 2006
  17. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    fully agree with you TonyKlein. ;)
     
    Last edited: May 28, 2006
  18. ugly

    ugly Registered Member

    Joined:
    Mar 21, 2005
    Posts:
    276
    Location:
    Romania
    A brand new Zlob.
    Already sent it to eset & kaspersky ! ( like my neighbour HTb said before :D )

    new.JPG


    It seems that Fortinet is detecting Zlob heuristic o_O?
    If they do so CONGRATULATIONS !:thumb:
     
  19. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    As Ian already said, they're ALL different...:doubt:

    Here are VirusTotal reports on a few I caught recently, all from one of the following sites:

    digikeygen.com
    emediacodec.com
    mediacodec.net

    Scan results all vary as well :blink:

    mediacodec-v4.107.exe

    AntiVir 6.34.1.34 05.27.2006 TR/Drop.Zlob.FK.2.A
    Authentium 4.93.8 05.26.2006 no virus found
    Avast 4.6.695.0 05.26.2006 no virus found
    AVG 386 05.26.2006 Downloader.Zlob.AFD
    BitDefender 7.2 05.28.2006 no virus found
    CAT-QuickHeal 8.00 05.27.2006 no virus found
    ClamAV devel-20060426 05.27.2006 no virus found
    DrWeb 4.33 05.26.2006 no virus found
    eTrust-InoculateIT 23.72.19 05.26.2006 no virus found
    eTrust-Vet 12.6.2229 05.26.2006 no virus found
    Ewido 3.5 05.27.2006 no virus found
    Fortinet 2.77.0.0 05.28.2006 suspicious
    F-Prot 3.16c 05.26.2006 no virus found
    Ikarus 0.2.65.0 05.27.2006 Trojan-Downloader.Win32.Zlob.ni
    Kaspersky 4.0.2.24 05.28.2006 Trojan-Downloader.Win32.Zlob.py
    McAfee 4771 05.26.2006 no virus found
    Microsoft 1.1441 05.28.2006 no virus found
    NOD32v2 1.1562 05.27.2006 no virus found
    Norman 5.90.17 05.26.2006 no virus found
    Panda 9.0.0.4 05.27.2006 no virus found
    Sophos 4.05.0 05.27.2006 no virus found
    Symantec 8.0 05.28.2006 no virus found
    TheHacker 5.9.8.149 05.26.2006 no virus found
    UNA 1.83 05.26.2006 no virus found
    VBA32 3.11.0 05.28.2006 no virus found

    Aditional Information
    File size: 68723 bytes
    MD5: 97d30ee6b154f2791db636a9ad227222
    SHA1: e621e46cedd0b5f5fc0001b40dcd1a55ae8bd32e


    Complete scanning result of "digikeygen_ver1.541.exe", received in VirusTotal at 05.25.2006, 15:17:58 (CET).

    Antivirus Version Update Result
    AntiVir 6.34.1.32 05.25.2006 no virus found
    Authentium 4.93.8 05.25.2006 no virus found
    Avast 4.6.695.0 05.24.2006 no virus found
    AVG 386 05.24.2006 no virus found
    BitDefender 7.2 05.25.2006 no virus found
    CAT-QuickHeal 8.00 05.25.2006 no virus found
    ClamAV devel-20060426 05.25.2006 no virus found
    DrWeb 4.33 05.25.2006 no virus found
    eTrust-InoculateIT 23.72.17 05.25.2006 no virus found
    eTrust-Vet 12.6.2227 05.25.2006 no virus found
    Ewido 3.5 05.25.2006 no virus found
    Fortinet 2.77.0.0 05.24.2006 suspicious
    F-Prot 3.16c 05.24.2006 no virus found
    Ikarus 0.2.65.0 05.24.2006 Trojan.Favadd
    Kaspersky 4.0.2.24 05.25.2006 Trojan-Downloader.Win32.Zlob.pt
    McAfee 4769 05.24.2006 no virus found
    Microsoft 1.1440 05.22.2006 no virus found
    NOD32v2 1.1557 05.25.2006 no virus found
    Norman 5.90.17 05.24.2006 no virus found
    Panda 9.0.0.4 05.24.2006 no virus found
    Sophos 4.05.0 05.25.2006 no virus found
    Symantec 8.0 05.25.2006 no virus found
    TheHacker 5.9.8.147 05.24.2006 no virus found
    UNA 1.83 05.24.2006 no virus found
    VBA32 3.11.0 05.25.2006 no virus found


    Complete scanning result of "mediacodec-v4.541.exe", received in VirusTotal at 05.25.2006, 15:42:20 (CET).

    Antivirus Version Update Result
    AntiVir 6.34.1.32 05.25.2006 TR/Drop.Zlob.FK.2.A
    Authentium 4.93.8 05.25.2006 no virus found
    Avast 4.6.695.0 05.24.2006 no virus found
    AVG 386 05.24.2006 Downloader.Zlob.AFD
    BitDefender 7.2 05.25.2006 no virus found
    CAT-QuickHeal 8.00 05.25.2006 no virus found
    ClamAV devel-20060426 05.25.2006 no virus found
    DrWeb 4.33 05.25.2006 no virus found
    eTrust-InoculateIT 23.72.17 05.25.2006 no virus found
    eTrust-Vet 12.6.2227 05.25.2006 no virus found
    Ewido 3.5 05.25.2006 no virus found
    Fortinet 2.77.0.0 05.24.2006 W32/Zlob.AFD!tr.dldr
    F-Prot 3.16c 05.24.2006 no virus found
    Ikarus 0.2.65.0 05.24.2006 Trojan-Downloader.Win32.Zlob.ni
    Kaspersky 4.0.2.24 05.25.2006 Trojan-Downloader.Win32.Zlob.pt
    McAfee 4769 05.24.2006 no virus found
    Microsoft 1.1440 05.22.2006 no virus found
    NOD32v2 1.1557 05.25.2006 no virus found
    Norman 5.90.17 05.24.2006 no virus found
    Panda 9.0.0.4 05.24.2006 no virus found
    Sophos 4.05.0 05.25.2006 no virus found
    Symantec 8.0 05.25.2006 no virus found
    TheHacker 5.9.8.147 05.24.2006 no virus found
    UNA 1.83 05.24.2006 no virus found
    VBA32 3.11.0 05.25.2006 no virus found


    Complete scanning result of "digikeygen_ver1.541.exe", received in VirusTotal at 05.27.2006, 23:16:42 (CET).

    Antivirus Version Update Result
    AntiVir 6.34.1.34 05.27.2006 no virus found
    Authentium 4.93.8 05.26.2006 no virus found
    Avast 4.6.695.0 05.26.2006 no virus found
    AVG 386 05.26.2006 no virus found
    BitDefender 7.2 05.27.2006 no virus found
    CAT-QuickHeal 8.00 05.27.2006 no virus found
    ClamAV devel-20060426 05.27.2006 no virus found
    DrWeb 4.33 05.26.2006 no virus found
    eTrust-InoculateIT 23.72.19 05.26.2006 no virus found
    eTrust-Vet 12.6.2229 05.26.2006 no virus found
    Ewido 3.5 05.27.2006 no virus found
    Fortinet 2.77.0.0 05.27.2006 suspicious
    F-Prot 3.16c 05.26.2006 no virus found
    Ikarus 0.2.65.0 05.27.2006 Trojan.Favadd
    Kaspersky 4.0.2.24 05.27.2006 no virus found
    McAfee 4771 05.26.2006 no virus found
    Microsoft 1.1441 05.27.2006 no virus found
    NOD32v2 1.1562 05.27.2006 no virus found
    Norman 5.90.17 05.26.2006 no virus found
    Panda 9.0.0.4 05.27.2006 no virus found
    Sophos 4.05.0 05.27.2006 no virus found
    Symantec 8.0 05.27.2006 no virus found
    TheHacker 5.9.8.149 05.26.2006 no virus found
    UNA 1.83 05.26.2006 no virus found
    VBA32 3.11.0 05.26.2006 no virus found


    BOClean gets most of these as well now.
     
  20. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Nope, they seem to detect the envelope as suspicious. We could do it also, but then we would have tons of false positives.

    An update for these Zlobs is imminent.
     
  21. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Hope it will be soon... and I think the best way to prevent infections is to send the files to AV vendors. ;)
     
  22. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Sure, but I do think they should ALSO be working proactively to download new variants. As a friend said, it shouldn't be too hard for them to collect the samples themselves as soon as they become available using a Wget script.

    BTW, Nod32 is now detecting two of the four samples I uploaded to VirusTotal.

    It is important to be on top of things, as this stuff is positively rampant. Here are the Alexa traffic details for the download sites collected by WinHelp2002:

     
  23. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I think most AV companies do that.
     
  24. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Hi Marcos. :)

    I'm sure you're right, but wouldn't you then expect them to add detection a little faster than appears to be the case right now...?
     
  25. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    ESET waits for more users to get infected and so these variants to be highly spreaded. :rolleyes:
     
Thread Status:
Not open for further replies.