Trojan Zlob

How does this contradict what I said? Just because an online scanner 'gets' files means an end user should stop submitting them?

 

The PR tail wagging the Antivirus dog

 

I was not contradicting you.

And what do you mean "PR tail wagging the antivirus dog"

 

The term 'Actually' implies a contradictory statement

I mean this isn't a priority threat. It's overhyped.

 

On the otherside.... we would complain because program x scored so badly in AV-Comparative.

 

i_kenefick if they would add those defs as soon as they get them (regardless of the source) and not before av-comparatives.org test they will score very well

 

detection has been added as Win32/Trojan.Downloader.Zlob.PZ

 

It's a neverending race, but we do not give up

AntiVir 6.35.0.10 06.09.2006 no virus found
Authentium 4.93.8 06.08.2006 no virus found
Avast 4.7.844.0 06.09.2006 no virus found
AVG 386 06.08.2006 no virus found
BitDefender 7.2 06.09.2006 no virus found
CAT-QuickHeal 8.00 06.09.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 06.09.2006 no virus found
DrWeb 4.33 06.09.2006 Trojan.Popuper
eTrust-InoculateIT 23.72.32 06.09.2006 no virus found
eTrust-Vet 12.6.2250 06.09.2006 no virus found
Ewido 3.5 06.09.2006 no virus found
Fortinet 2.77.0.0 06.09.2006 suspicious
F-Prot 3.16f 06.08.2006 no virus found
Ikarus n - no virus found
Kaspersky 4.0.2.24 06.09.2006 no virus found
McAfee 4780 06.08.2006 no virus found
Microsoft 1.1441 06.09.2006 no virus found
NOD32v2 1.1589 06.09.2006 Win32/TrojanDownloader.Zlob.PZ
Norman 5.90.21 06.09.2006 no virus found
Panda 9.0.0.4 06.09.2006 Suspicious file
Sophos 4.06.0 06.09.2006 no virus found
Symantec 8.0 06.09.2006 no virus found
TheHacker 5.9.8.156 06.08.2006 no virus found
UNA 1.83 06.09.2006 no virus found
VBA32 3.11.0 06.09.2006 no virus found

 

Are you sure it's not a fake what you have posted? I can't believe only NOD detects it. That's why I'm posting only screenshots.

 

So... what does constitute a priority?

 

A threat activly spreading in the wild or one which has the potential to do so. Not a downloader anyways

 

I'm not sure but here's what I think is a priority for Eset:

a)The sample is *very* rapidly mass-spreading
b)The sample is a legitimate application that has a Threat level of at least "Medium" and a spreading rate of "High"
c)The sample has caused disruption of business in sizeable amounts

 

Uh, well, this threat is in the wild.

The Vcodec variant (or some variants of it) mass-mails too, to the "contact list" addresses it finds using one of the addresses as the sender. The messages are very believable as well (and I've seen lots of people falling for it).

The people behind this are closely related (or even the same people) behind iframecash.biz, a criminal group that actively exploits vulnerabilities, hacks servers, and plants keyloggers (along with other crap).

So why this is not a priority, I still don't understand.

 

which is absolutely right . da*e trojans can't be priority , meaning that trojans are installed by users-themselves (not talking about some)

Who makes you download/install or visit a site

 

The stuff that mass-spreads *very* rapidly happens VERY rarely. Unless it's a worm that has a method of spreading through vulnerabilities in default system settings (or very common services anyway), I don't see how anything can spread *very* rapidly.

 

The snake can still pronounce Sassssser

 

Latest variants from:

hxxp://www.imediacodec.com/
hxxp://www.xpasswordmanager.com/

Complete scanning result of "mcodec-v5.541.exe", received in VirusTotal at 06.10.2006, 09:14:30 (CET).

Antivirus Version Update Result
AntiVir 6.35.0.10 06.09.2006 no virus found
Authentium 4.93.8 06.09.2006 Possibly a new variant of W32/AdwareDropper.MCodec-based
Avast 4.7.844.0 06.09.2006 no virus found
AVG 386 06.09.2006 Downloader.Zlob.AOJ
BitDefender 7.2 06.10.2006 no virus found
CAT-QuickHeal 8.00 06.09.2006 no virus found
ClamAV devel-20060426 06.09.2006 no virus found
DrWeb 4.33 06.09.2006 no virus found
eTrust-InoculateIT 23.72.33 06.10.2006 no virus found
eTrust-Vet 12.6.2250 06.09.2006 no virus found
Ewido 3.5 06.09.2006 no virus found
Fortinet 2.77.0.0 06.09.2006 W32/Zlob.PC!tr
F-Prot 3.16f 06.09.2006 Possibly a new variant of W32/AdwareDropper.MCodec-based
Ikarus 0.2.65.0 06.09.2006 Trojan.Favadd
Kaspersky 4.0.2.24 06.10.2006 Trojan-Downloader.Win32.Zlob.pj
McAfee 4781 06.09.2006 no virus found
Microsoft 1.1441 06.10.2006 no virus found
NOD32v2 1.1590 06.10.2006 no virus found
Norman 5.90.21 06.09.2006 no virus found
Panda 9.0.0.4 06.09.2006 no virus found
Sophos 4.06.0 06.10.2006 no virus found
Symantec 8.0 06.10.2006 no virus found
TheHacker 5.9.8.157 06.10.2006 no virus found
UNA 1.83 06.09.2006 no virus found
VBA32 3.11.0 06.09.2006 no virus found

Aditional Information
File size: 72752 bytes
MD5: 1bbc8c1364b40af9fc278d125418dab0
SHA1: d4202e2be8fe295cad0f34c58051c29a6589312c


Complete scanning result of "xpassman-v3.541.exe", received in VirusTotal at 06.10.2006, 09:14:57 (CET).

Antivirus Version Update Result
AntiVir 6.35.0.10 06.09.2006 no virus found
Authentium 4.93.8 06.09.2006 no virus found
Avast 4.7.844.0 06.09.2006 no virus found
AVG 386 06.09.2006 no virus found
BitDefender 7.2 06.10.2006 no virus found
CAT-QuickHeal 8.00 06.09.2006 no virus found
ClamAV devel-20060426 06.09.2006 Trojan.Downloader.Zlob-471
DrWeb 4.33 06.09.2006 no virus found
eTrust-InoculateIT 23.72.33 06.10.2006 no virus found
eTrust-Vet 12.6.2250 06.09.2006 Win32/Beovens.FT
Ewido 3.5 06.09.2006 no virus found
Fortinet 2.77.0.0 06.09.2006 suspicious
F-Prot 3.16f 06.09.2006 no virus found
Ikarus 0.2.65.0 06.09.2006 Trojan-Downloader.Win32.Zlob.ni
Kaspersky 4.0.2.24 06.10.2006 Trojan-Downloader.Win32.Zlob.pj
McAfee 4781 06.09.2006 no virus found
Microsoft 1.1441 06.10.2006 no virus found
NOD32v2 1.1590 06.10.2006 no virus found
Norman 5.90.21 06.09.2006 no virus found
Panda 9.0.0.4 06.09.2006 no virus found
Sophos 4.06.0 06.10.2006 no virus found
Symantec 8.0 06.10.2006 no virus found
TheHacker 5.9.8.157 06.10.2006 no virus found
UNA 1.83 06.09.2006 no virus found
VBA32 3.11.0 06.09.2006 no virus found

Aditional Information
File size: 79047 bytes
MD5: 7be9b0e11453ad5b2be598e68517678d
SHA1: 3ae8226dee43b6f6aa83d1dd4da6a7196c37aa12


Samples submitted to all concerned

 

Hello Marcos!

When will NOD detect this Zlob with AH?

Izi

 

The files are at least being detected now. Others still don't appear to consider these a 'priority'....

Complete scanning result of "xpassman-v3.541.exe", received in VirusTotal at 06.10.2006, 17:51:51 (CET).

Antivirus Version Update Result
AntiVir 6.35.0.10 06.10.2006 no virus found
Authentium 4.93.8 06.09.2006 no virus found
Avast 4.7.844.0 06.09.2006 no virus found
AVG 386 06.09.2006 no virus found
BitDefender 7.2 06.10.2006 no virus found
CAT-QuickHeal 8.00 06.10.2006 no virus found
ClamAV devel-20060426 06.09.2006 Trojan.Downloader.Zlob-471
DrWeb 4.33 06.10.2006 Trojan.Popuper
eTrust-InoculateIT 23.72.33 06.10.2006 no virus found
eTrust-Vet 12.6.2250 06.09.2006 Win32/Beovens.FT
Ewido 3.5 06.10.2006 no virus found
Fortinet 2.77.0.0 06.09.2006 suspicious
F-Prot 3.16f 06.09.2006 no virus found
Ikarus 0.2.65.0 06.09.2006 Trojan-Downloader.Win32.Zlob.ni
Kaspersky 4.0.2.24 06.10.2006 Trojan-Downloader.Win32.Zlob.pj
McAfee 4781 06.09.2006 no virus found
Microsoft 1.1441 06.10.2006 no virus found
NOD32v2 1.1591 06.10.2006 Win32/TrojanDownloader.Zlob.RC
Norman 5.90.21 06.09.2006 no virus found
Panda 9.0.0.4 06.10.2006 no virus found
Sophos 4.06.0 06.10.2006 no virus found
Symantec 8.0 06.10.2006 no virus found
TheHacker 5.9.8.157 06.10.2006 no virus found
UNA 1.83 06.09.2006 no virus found
VBA32 3.11.0 06.09.2006 no virus found

Aditional Information
File size: 79047 bytes
MD5: 7be9b0e11453ad5b2be598e68517678d
SHA1: 3ae8226dee43b6f6aa83d1dd4da6a7196c37aa12

Complete scanning result of "mcodec-v5.541.exe", received in VirusTotal at 06.10.2006, 17:51:32 (CET).

Antivirus Version Update Result
AntiVir 6.35.0.10 06.10.2006 no virus found
Authentium 4.93.8 06.09.2006 Possibly a new variant of W32/AdwareDropper.MCodec-based
Avast 4.7.844.0 06.09.2006 no virus found
AVG 386 06.09.2006 Downloader.Zlob.AOJ
BitDefender 7.2 06.10.2006 no virus found
CAT-QuickHeal 8.00 06.10.2006 no virus found
ClamAV devel-20060426 06.09.2006 no virus found
DrWeb 4.33 06.10.2006 Trojan.Popuper
eTrust-InoculateIT 23.72.33 06.10.2006 no virus found
eTrust-Vet 12.6.2250 06.09.2006 no virus found
Ewido 3.5 06.10.2006 no virus found
Fortinet 2.77.0.0 06.09.2006 W32/Zlob.PC!tr
F-Prot 3.16f 06.09.2006 Possibly a new variant of W32/AdwareDropper.MCodec-based
Ikarus 0.2.65.0 06.09.2006 Trojan.Favadd
Kaspersky 4.0.2.24 06.10.2006 Trojan-Downloader.Win32.Zlob.pj
McAfee 4781 06.09.2006 no virus found
Microsoft 1.1441 06.10.2006 no virus found
NOD32v2 1.1591 06.10.2006 Win32/TrojanDownloader.Zlob.RC
Norman 5.90.21 06.09.2006 no virus found
Panda 9.0.0.4 06.10.2006 no virus found
Sophos 4.06.0 06.10.2006 no virus found
Symantec 8.0 06.10.2006 no virus found
TheHacker 5.9.8.157 06.10.2006 no virus found
UNA 1.83 06.09.2006 no virus found
VBA32 3.11.0 06.09.2006 no virus found

Aditional Information
File size: 72752 bytes
MD5: 1bbc8c1364b40af9fc278d125418dab0
SHA1: d4202e2be8fe295cad0f34c58051c29a6589312c

 

That's their very nice way of justifiying their inability to keep up with malware creators.

 

Well, at least some companies are doing well detecting this. I would like to congratulate and thank Eset and all other vendors who have detected these at the current time.

You guys at Eset are doing a great job!

As for others, Zlob samples sent via VirusTotal and jotti are seemingly not taken very seriously. You must give them detailed descriptions and why it is important to detect them. Some others do take this Zlob trojan seriously (McAfee for example), but may not receive the samples properly from Jotti and Virustotal. You *must* send a detailed email.

 

That's exactly what I do; I submit the samples by mail to 40 or so developers, accompanied by a short description.

 

I'm wondering myself whether the samples on Jotti and Virustotal are sent to AV producers at all. I've seen lots samples sent to Ewido, ClamAV, or KAV or others that were included whithin a few hours or at most, a day when sent manually through e-mail (or through the vendor's website), while they never even got detected at all if just uploaded through Virustotal. So yes, I completely agree: don't rely on those two services for samples to be sent to AV vendors.

 

This is the latest "pornmagpass" sample. Wow, very nice results from all AV vendors!

http://img114.imageshack.us/img114/7697/immagine9um.gif