Trojan Zlob

Thank you.

After I asked the question I realized it was quite unlikely that Jotti used version 6, but didn't wanna delete the message. But it's good to hear, and it's good to see you're working on the other Vcodec nasties too.

 

Ladies and Gentlemen, please remember which forum we are in; that is the NOD32 SUPPORT Forum.

Blackspear

 

Mike - I thought you just get annoyed at tackling trivial static malware? You spend 20 mins adding generic for it now Someone must have annoyed you to do it

 

a new one not detect by nod32 and kaspersky

 

Another new one, detected by NOD32 without update:

AntiVir 6.34.1.37 06.07.2006 no virus found
Authentium 4.93.8 06.08.2006 no virus found
Avast 4.7.844.0 06.06.2006 no virus found
AVG 386 06.07.2006 no virus found
BitDefender 7.2 06.08.2006 no virus found
CAT-QuickHeal 8.00 06.07.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 06.07.2006 no virus found
DrWeb 4.33 06.07.2006 no virus found
eTrust-InoculateIT 23.72.31 06.07.2006 no virus found
eTrust-Vet 12.6.2248 06.08.2006 no virus found
Ewido 3.5 06.07.2006 no virus found
Fortinet 2.77.0.0 06.08.2006 no virus found
F-Prot 3.16f 06.07.2006 no virus found
Ikarus n - no virus found
Kaspersky 4.0.2.24 06.08.2006 Trojan-Downloader.Win32.Zlob.pm
McAfee 4779 06.07.2006 no virus found
Microsoft 1.1441 06.08.2006 no virus found
NOD32v2 1.1585 06.07.2006 a variant of Win32/TrojanDownloader.Zlob
Norman 5.90.17 06.07.2006 no virus found
Panda 9.0.0.4 06.07.2006 Suspicious file
Sophos 4.06.0 06.08.2006 no virus found
Symantec 8.0 06.08.2006 no virus found
TheHacker 5.9.8.156 06.08.2006 no virus found
UNA 1.83 06.06.2006 no virus found
VBA32 3.11.0 06.07.2006 no virus found

 

U never dissapointed me IC.

 

which is excellent


Great job , ESET

 

Try this: http://www.kaspersky.com/viruswatchlite?hour_offset=-2&search_virus=Trojan-Downloader.Win32.Zlob

 

nod32 and kasparsky detect it excellent
nice work by ?

 

which is great, but even greater is that NOD32 is detecting samples before a signature is even needed. you can't get much faster than that.

 

Newly found sites:
mediacodec.info
media-codec.net
i.****jerks.com (not porn, just another "fake codec" site)
xxxcodec.com (seems empty right now, but from Google searches, people have been infected before); the one above points to this one.
pornmagpass.com

All listing:
codeccash.com
codecmania.com
digikeygen.com
digipassword.com
emcodec.com
emediacodec.com
getcodecs.com #expired
i.****jerks.com
imediacodec.com
lastcodec.com
media-codec.com
media-codec.net
mediacodec.info
mediacodec.net
modecodec.com
my-codec.com
my-homemade.com
nvidcodec.com
pornmagpass.com
v-codec.com
vcodec-download.com
vcodec-get.com
vcodec.com #expired
vcodecdownload.com
vcodecget.com
vcodecget.net
vcodecobtain.com
vcodecpull.com
vcodecreceive.com
vicodec.com
vidcodec.com
videocodecupdate.com
vidscodec.com
xxxcodec.com
your-codec.com
zcodec.com

As said above, more than a few porn sites point to these but they they are not listed, and they don't cointain the actual trojans files anyway.

 

NOD32 doesn't see the one from pornmagpass.com but, BoClean does.

 

Look at this !



Possibly & probably a new Zlob ...
Well done.Congratulations.

 

nice ugly, but see this one. sample sent...

 

We are familiar with it, it has already been added and the signature will go out with the upcoming update.

 

Results from scanning a new variant:

AntiVir 6.35.0.10 06.09.2006 no virus found
Authentium 4.93.8 06.08.2006 no virus found
Avast 4.7.844.0 06.08.2006 no virus found
AVG 386 06.08.2006 no virus found
BitDefender 7.2 06.09.2006 no virus found
CAT-QuickHeal 8.00 06.08.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 06.08.2006 no virus found
DrWeb 4.33 06.08.2006 no virus found
eTrust-InoculateIT 23.72.32 06.09.2006 no virus found
eTrust-Vet 12.6.2248 06.08.2006 no virus found
Ewido 3.5 06.08.2006 no virus found
Fortinet 2.77.0.0 06.09.2006 suspicious
F-Prot 3.16f 06.08.2006 no virus found
Ikarus n - no virus found
Kaspersky 4.0.2.24 06.09.2006 no virus found
McAfee 4780 06.08.2006 no virus found
Microsoft 1.1441 06.09.2006 no virus found
NOD32v2 1.1587 06.08.2006 probably a variant of Win32/TrojanDownloader.Zlob.PW
Norman 5.90.21 06.08.2006 no virus found
Panda 9.0.0.4 06.08.2006 Suspicious file
Sophos 4.06.0 06.08.2006 no virus found
Symantec 8.0 06.09.2006 no virus found
TheHacker 5.9.8.156 06.08.2006 no virus found
UNA 1.83 06.08.2006 no virus found
VBA32 3.11.0 06.08.2006 no virus found

 

nice to hear that Marcos!
Now you definetly the best in zlob detection...

 

Another new one:

AntiVir 6.35.0.10 06.09.2006 no virus found
Authentium 4.93.8 06.08.2006 no virus found
Avast 4.7.844.0 06.08.2006 no virus found
AVG 386 06.08.2006 no virus found
BitDefender 7.2 06.09.2006 no virus found
CAT-QuickHeal 8.00 06.08.2006 no virus found
ClamAV devel-20060426 06.09.2006 no virus found
DrWeb 4.33 06.08.2006 no virus found
eTrust-InoculateIT 23.72.32 06.09.2006 no virus found
eTrust-Vet 12.6.2250 06.09.2006 no virus found
Ewido 3.5 06.08.2006 no virus found
Fortinet 2.77.0.0 06.09.2006 no virus found
F-Prot 3.16f 06.08.2006 no virus found
Ikarus n - no virus found
Kaspersky 4.0.2.24 06.09.2006 no virus found
McAfee 4780 06.08.2006 no virus found
Microsoft 1.1441 06.09.2006 no virus found
NOD32v2 1.1587 06.08.2006 a variant of Win32/TrojanDownloader.Zlob.PV
Norman 5.90.21 06.08.2006 no virus found
Panda 9.0.0.4 06.08.2006 Suspicious file
Sophos 4.06.0 06.09.2006 no virus found
Symantec 8.0 06.09.2006 no virus found
TheHacker 5.9.8.156 06.08.2006 no virus found
UNA 1.83 06.09.2006 no virus found
VBA32 3.11.0 06.08.2006 no virus found

 

Marcos, sorry to post another one not detected by NOD, but hope you'll add it fast. Sample sent to you.

 

I'm sure Marcos doesn't need an apology. It's good for ESET to get these files from you. I don't think AV's are seeing this as a priority anyway. The only reason for the publicity is that people in forums like this know where the files are (and that they are updated so much) and are comparing AV detection using this stupid crap

 

IMO, since the online scanner submits the files anyway, it means that all AV vendors will add signatures for these variants one day (most likely before the next AV-comparatives test). So its not much to worry, Eset already has most of the samples I think.

 

yeah...they are updated almost daily now.

 

To be honest, I'm collecting such samples daily and sending them to all AV-companies. I've noticed that this Zlob trojan is really not a priority for most companies, since most of them take about 2-3 days to detect it (except McAfee, who took it very seriously and replied the next day with a notice saying signatures are added ).

Eset is also very fast in adding these Zlobs.

 

Well, it's bad that some AV do this...adding defs just before the av-comparatives.org test. They should protect their users everytime not only before the test, and after that.

 

Dr.Web is very fast adding them, too. I've just received their answer to this new threat while replying to your post.