Trojan Zlob

Please take this to Private Messages or eMails.

Cheers

Blackspear.

 

ok.. I understand.

 

new ZLOB !!! Detected only by ArcaVir heuristically!

 

Show must go on ...





Sent it.

 

NOD added the def again among the first.

 

new one...not detected again...I think I'll not post here anymore except this and the next one. AV companies know where to get them from.

 

and this is the last one...samples sent

 

This one's corrupted, don't expect it to be detected. But the other one already is

 

thanks for the answer...
Btw, here's another good point for NOD32

 

Don't put all eggs into one basket by relying on results from Jotti's scanner. It often happens that NOD32 doesn't detect submitted files there as it even doesn't get to scanning due to techical difficulties at their part. Likewise other scanners may not always show valid results.

 

I've scanned the file on Virustotal.com and here's the result. Virustotal was very busy that time that's why I"ve used jotti's

 

Since the PDM is a behaviour blocker and relies on the file being executed. Here in your case the On-Access scanner blocked the execution of the file so PDM wasn't called into action.

 

Latest "pornmagpass"...

 

it has been added.

 

Morning news.

 

added as Win32/TrojanDownloader.SA

 

10 pages all about 1 virus. I don't believe it!

 

Yeah it's nuts especially when you consider a user must first download and then install it....

 

The problem is there are SOOOOO many variants, eventually heuristics need to be able to capture this and that will be the end of it

Cheers

 

Symantec Corporate editions's heuristics catch them without updates.
Hope NOD32 will develop an heuristic engine soon, as these Zlobs never end...

 

I think I'd be unhappy if NOD32's heuristics were configured that loose, but it will be nice when they are tuned into catching all zlobs

 

new one....

 

I think one thing that can be deduced from this is that Nod doesn't seem to detect this very well using heuristics(advanced or otherwise)and seems to be more reliant on sigs than we'd like to think

 

Actually that will always be the case when the virus author deliberately makes changes to avoid further detection by AH... That's one of the reasons these are considered nasty, because the writer is acting with deliberate intent to avoid detection - deliberately modifying the code in such a way that the AV vendors must respond for further detections...