Trojan Zlob

Well, what it at least proves is that it may be easy for us to express criticism, but that effective, real world detection of this stuff is very difficult indeed...

I trust you've submitted samples to all concerned?

 

... and I can confirm this; about to call it a day....

Complete scanning result of "mcodec-v5.541.exe", received in VirusTotal at 06.10.2006, 19:14:08 (CET).

Antivirus Version Update Result
AntiVir 6.35.0.10 06.10.2006 no virus found
Authentium 4.93.8 06.09.2006 no virus found
Avast 4.7.844.0 06.09.2006 no virus found
AVG 386 06.09.2006 no virus found
BitDefender 7.2 06.10.2006 no virus found
CAT-QuickHeal 8.00 06.10.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 06.09.2006 no virus found
DrWeb 4.33 06.10.2006 no virus found
eTrust-InoculateIT 23.72.33 06.10.2006 no virus found
eTrust-Vet 12.6.2250 06.09.2006 no virus found
Ewido 3.5 06.10.2006 no virus found
Fortinet 2.77.0.0 06.09.2006 suspicious
F-Prot 3.16f 06.09.2006 no virus found
Ikarus 0.2.65.0 06.09.2006 no virus found
Kaspersky 4.0.2.24 06.10.2006 no virus found
McAfee 4781 06.09.2006 no virus found
Microsoft 1.1441 06.10.2006 no virus found
NOD32v2 1.1591 06.10.2006 no virus found
Norman 5.90.21 06.09.2006 no virus found
Panda 9.0.0.4 06.10.2006 Suspicious file
Sophos 4.06.0 06.10.2006 no virus found
Symantec 8.0 06.10.2006 no virus found
TheHacker 5.9.8.157 06.10.2006 no virus found
UNA 1.83 06.09.2006 no virus found
VBA32 3.11.0 06.09.2006 no virus found

Aditional Information
File size: 69982 bytes
MD5: adec9d1b4e3c00b58d1297a6b39cad21
SHA1: 960c796905310e8efc180a6c99c0c593e9bfdcdb

omplete scanning result of "xpassman-v3.541.exe", received in VirusTotal at 06.10.2006, 19:14:34 (CET).

Antivirus Version Update Result
AntiVir 6.35.0.10 06.10.2006 no virus found
Authentium 4.93.8 06.09.2006 no virus found
Avast 4.7.844.0 06.09.2006 no virus found
AVG 386 06.09.2006 no virus found
BitDefender 7.2 06.10.2006 no virus found
CAT-QuickHeal 8.00 06.10.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 06.09.2006 no virus found
DrWeb 4.33 06.10.2006 no virus found
eTrust-InoculateIT 23.72.33 06.10.2006 no virus found
eTrust-Vet 12.6.2250 06.09.2006 no virus found
Ewido 3.5 06.10.2006 no virus found
Fortinet 2.77.0.0 06.09.2006 suspicious
F-Prot 3.16f 06.09.2006 no virus found
Ikarus 0.2.65.0 06.09.2006 no virus found
Kaspersky 4.0.2.24 06.10.2006 no virus found
McAfee 4781 06.09.2006 no virus found
Microsoft 1.1441 06.10.2006 no virus found
NOD32v2 1.1591 06.10.2006 no virus found
Norman 5.90.21 06.09.2006 no virus found
Panda 9.0.0.4 06.10.2006 Suspicious file
Sophos 4.06.0 06.10.2006 no virus found
Symantec 8.0 06.10.2006 no virus found
TheHacker 5.9.8.157 06.10.2006 no virus found
UNA 1.83 06.09.2006 no virus found
VBA32 3.11.0 06.09.2006 no virus found

Aditional Information
File size: 76369 bytes
MD5: 931abf1b4335bf2966663bf15b528ef9
SHA1: c8a89c1e6f660aaac17156af8dbcbe73682eb1ed

 

Well yes of course it is, but that's exactly the point, and that's exactly why I don't trust all these marketing BS about detection and/or priorities. These guys are part of a crime ring, one of the most notorious on the Internet, and they keep fooling AVs every day, and this is not a priority? What's next, since they can't keep up, are they going to consider their "applications" legitimate? Please.

No, just to KAV and BOClean, as they're the ones I use.

EDIT: now to Ewido, too.

 

I've submitted my samples to everyone, as I'm sure there will be folks who are NOT running either Kaspersky or BOClean, but who are at the same time still interested in having their AV/AT/AS protect them from this pest.

(BTW, this IS still a Nod32 forum, y'know...)

As I said before, IMHO there's no place for favoritism where computer security is concerned

 

There were 6 detections here and all put into Quarantine and deleted, but not logged in the 'Threat Log'. Shouldn't it be logged, so it could be copied?

 

This is the Quarantine!

 

Kudos to NOD32 and KAV for keeping up with this.

I've submitted to NAV and McAfee with no answer. When I pressed the issue with McAfee, they actually called the file clean.

 

Uhhmmm... yeah, in fact I think it's kind of... you know... time for the continuation of this thread to be moved to the "trojans and backdoors" forum.

I've been supporting Kaspersky and Ewido for a long time for a simple reason: they always show excellent support and customer care. I've sent a lot of samples to both and they were always very responsive and paying attention to including the signatures. In a few instances when KAV found that the sample was not actually malware, they always answered. In 2004, the team behind Ewido even gratified me with a free 3-months "full" key for my activity in sending malware samples and communicating URLs to them.

I have been using BOClean for only a couple of months, but Kevin McAleavey's support was very fast and reliable as well.

I can't say the same for a few of the other vendors (this doesn't include Eset, my contacts with them have been too sporadic to really judge). So no, I won't support a few of the other vendors anymore.

I don't gain any money at all doing this, I just do it because I hate to see the Internet becoming the junkyard it's becoming. I've been regularly using on the Internet since 1995 and I can tell you that it's NEVER been worse than it is now. And for what it's worth, big companies with large funds that are supposed to 'protect' users but actually spend more money in marketing than actual research and support won't have my help at all. Simple.

 

there are 2 variants still not detected as TonyKlein stated. We're waiting.

 

New one .



Sent it.
It's like a neverending story.

 

yes.... since an heuristic is not available the story will be long.

 

Could actually be identical to the ones I uploaded. Second time I tried DrWeb had indeed added detection.

It would help if you posted the entire scan results (including filename, file size + checksums)

 

Actually, I'll thank *everyone* who has detected these Zlobs. Eset has, till now, done the best job of it. Great job, and keep it up. Rumpstah was right when he said there were lots of talented people at Eset even since NOD32 version 1

As for McAfee, use WebImmune to send the sample and put in a note with the sample name as detected by other AVs like NOD32 and Kaspersky. Doing it this way has always worked for me.

BitDefender tells me they will add these Zlobs "soon"

 

Actually, I did use WebImmune. That's when I finally got the answer that it is clean when other scanners said differently.

I'm still using KAV, but NOD32 has been up to their level on this one. As you might know, I have licenses for both AVs.

 

New scan results

 

Trojan-Downloader.Win32.Zlob.qz was detected on my computer by Kaspersky's online scanner, but NOD32 did not catch it, much less remove it.

This must be all something very recent. Some antivirus is ready to detect it and some not. I'm surprised that Kaspersky beat NOD to the punch. Mine was in my restore files of all places. I simply turned off system restore long enough to do a scan and all was well. This was all very strange.

 

A few more added to the 1.1592 update
Win32/TrojanDownloader.Zlob.RE
Win32/TrojanDownloader.Zlob.RF
Win32/TrojanDownloader.Zlob.RG
Win32/TrojanDownloader.Zlob.RH

 

Here are 5 I just downloaded; I've stopped submitting this stuff...

DrWeb got em all this time, KAV's a close second

Complete scanning result of "mediacodec-v4.107.exe", received in VirusTotal at 06.11.2006, 12:36:32 (CET).

Antivirus Version Update Result
AntiVir 6.35.0.10 06.10.2006 no virus found
Authentium 4.93.8 06.09.2006 no virus found
Avast 4.7.844.0 06.09.2006 no virus found
AVG 386 06.09.2006 no virus found
BitDefender 7.2 06.11.2006 no virus found
CAT-QuickHeal 8.00 06.10.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 06.09.2006 no virus found
DrWeb 4.33 06.11.2006 Trojan.Popuper
eTrust-InoculateIT 23.72.33 06.10.2006 no virus found
eTrust-Vet 12.6.2250 06.09.2006 no virus found
Ewido 3.5 06.10.2006 no virus found
Fortinet 2.77.0.0 06.11.2006 suspicious
F-Prot 3.16f 06.09.2006 no virus found
Ikarus 0.2.65.0 06.09.2006 no virus found
Kaspersky 4.0.2.24 06.11.2006 Trojan-Downloader.Win32.Zlob.sd
McAfee 4781 06.09.2006 no virus found
Microsoft 1.1441 06.11.2006 no virus found
NOD32v2 1.1592 06.11.2006 no virus found
Norman 5.90.21 06.09.2006 no virus found
Panda 9.0.0.4 06.10.2006 Suspicious file
Sophos 4.06.0 06.10.2006 no virus found
Symantec 8.0 06.11.2006 no virus found
TheHacker 5.9.8.157 06.10.2006 no virus found
UNA 1.83 06.09.2006 no virus found
VBA32 3.11.0 06.11.2006 no virus found

Aditional Information
File size: 69934 bytes
MD5: f384890c76fc8d17cc41f7184a9cb62a
SHA1: 54631b137b8dfb5f4ddcb03d5a456860ae6fafe2

Complete scanning result of "sv-codec-v4_01a.exe", received in VirusTotal at 06.11.2006, 12:36:46 (CET).

Antivirus Version Update Result
AntiVir 6.35.0.10 06.10.2006 no virus found
Authentium 4.93.8 06.09.2006 no virus found
Avast 4.7.844.0 06.09.2006 no virus found
AVG 386 06.09.2006 no virus found
BitDefender 7.2 06.11.2006 no virus found
CAT-QuickHeal 8.00 06.10.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 06.09.2006 no virus found
DrWeb 4.33 06.11.2006 Trojan.Popuper
eTrust-InoculateIT 23.72.33 06.10.2006 no virus found
eTrust-Vet 12.6.2250 06.09.2006 no virus found
Ewido 3.5 06.10.2006 no virus found
Fortinet 2.77.0.0 06.11.2006 suspicious
F-Prot 3.16f 06.09.2006 no virus found
Ikarus 0.2.65.0 06.09.2006 no virus found
Kaspersky 4.0.2.24 06.11.2006 Trojan-Downloader.Win32.Zlob.sd
McAfee 4781 06.09.2006 no virus found
Microsoft 1.1441 06.11.2006 no virus found
NOD32v2 1.1592 06.11.2006 no virus found
Norman 5.90.21 06.09.2006 no virus found
Panda 9.0.0.4 06.10.2006 Suspicious file
Sophos 4.06.0 06.10.2006 no virus found
Symantec 8.0 06.11.2006 no virus found
TheHacker 5.9.8.157 06.10.2006 no virus found
UNA 1.83 06.09.2006 no virus found
VBA32 3.11.0 06.11.2006 no virus found

Aditional Information
File size: 69936 bytes
MD5: e3c795eeb01dc1c19d3ef22aee0c380c
SHA1: aedc2f7aaae8ddd16f196c48be5ad4dc6ba214bf

Complete scanning result of "mcodec-v5.541.exe", received in VirusTotal at 06.11.2006, 12:36:17 (CET).

Antivirus Version Update Result
AntiVir 6.35.0.10 06.10.2006 no virus found
Authentium 4.93.8 06.09.2006 no virus found
Avast 4.7.844.0 06.09.2006 no virus found
AVG 386 06.09.2006 no virus found
BitDefender 7.2 06.11.2006 no virus found
CAT-QuickHeal 8.00 06.10.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 06.09.2006 no virus found
DrWeb 4.33 06.11.2006 Trojan.Popuper
eTrust-InoculateIT 23.72.33 06.10.2006 no virus found
eTrust-Vet 12.6.2250 06.09.2006 no virus found
Ewido 3.5 06.10.2006 no virus found
Fortinet 2.77.0.0 06.11.2006 suspicious
F-Prot 3.16f 06.09.2006 no virus found
Ikarus 0.2.65.0 06.09.2006 no virus found
Kaspersky 4.0.2.24 06.11.2006 Trojan-Downloader.Win32.Zlob.sd
McAfee 4781 06.09.2006 no virus found
Microsoft 1.1441 06.11.2006 no virus found
NOD32v2 1.1592 06.11.2006 no virus found
Norman 5.90.21 06.09.2006 no virus found
Panda 9.0.0.4 06.10.2006 Suspicious file
Sophos 4.06.0 06.10.2006 no virus found
Symantec 8.0 06.11.2006 no virus found
TheHacker 5.9.8.157 06.10.2006 no virus found
UNA 1.83 06.09.2006 no virus found
VBA32 3.11.0 06.11.2006 no virus found

Aditional Information
File size: 69934 bytes
MD5: 8d72a7c9c07e40b085c15bdcc9a1100f
SHA1: be5f0dc0ffd852fe5d6b1747ba0b32b75a2d52d4

Complete scanning result of "vcodec_ver3.102.exe", received in VirusTotal at 06.11.2006, 12:38:56 (CET).

Antivirus Version Update Result
AntiVir 6.35.0.10 06.10.2006 TR/Drop.Zlob.FN.2
Authentium 4.93.8 06.09.2006 no virus found
Avast 4.7.844.0 06.09.2006 no virus found
AVG 386 06.09.2006 no virus found
BitDefender 7.2 06.11.2006 no virus found
CAT-QuickHeal 8.00 06.10.2006 no virus found
ClamAV devel-20060426 06.09.2006 no virus found
DrWeb 4.33 06.11.2006 Trojan.Popuper
eTrust-InoculateIT 23.72.33 06.10.2006 no virus found
eTrust-Vet 12.6.2250 06.09.2006 Win32/Beovens.DR
Ewido 3.5 06.10.2006 no virus found
Fortinet 2.77.0.0 06.11.2006 W32/Zapchast!tr
F-Prot 3.16f 06.09.2006 no virus found
Ikarus 0.2.65.0 06.09.2006 Trojan.Win32.Zapchast
Kaspersky 4.0.2.24 06.11.2006 Trojan.Win32.Zapchast
McAfee 4781 06.09.2006 no virus found
Microsoft 1.1441 06.11.2006 no virus found
NOD32v2 1.1592 06.11.2006 a variant of Win32/TrojanDownloader.Zlob.OU
Norman 5.90.21 06.09.2006 Zapchast.FB
Panda 9.0.0.4 06.10.2006 Trj/Zapchast.BY
Sophos 4.06.0 06.10.2006 no virus found
Symantec 8.0 06.11.2006 Trojan.Zlob
TheHacker 5.9.8.157 06.10.2006 no virus found
UNA 1.83 06.09.2006 no virus found
VBA32 3.11.0 06.11.2006 Trojan.Win32.Zapchast

Complete scanning result of "xpassman-v3.541.exe", received in VirusTotal at 06.11.2006, 12:39:36 (CET).

Antivirus Version Update Result
AntiVir 6.35.0.10 06.10.2006 no virus found
Authentium 4.93.8 06.09.2006 no virus found
Avast 4.7.844.0 06.09.2006 no virus found
AVG 386 06.09.2006 no virus found
BitDefender 7.2 06.11.2006 no virus found
CAT-QuickHeal 8.00 06.10.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 06.09.2006 no virus found
DrWeb 4.33 06.11.2006 Trojan.Popuper
eTrust-InoculateIT 23.72.33 06.10.2006 no virus found
eTrust-Vet 12.6.2250 06.09.2006 no virus found
Ewido 3.5 06.10.2006 no virus found
Fortinet 2.77.0.0 06.11.2006 suspicious
F-Prot 3.16f 06.09.2006 no virus found
Ikarus 0.2.65.0 06.09.2006 no virus found
Kaspersky 4.0.2.24 06.11.2006 no virus found
McAfee 4781 06.09.2006 no virus found
Microsoft 1.1441 06.11.2006 no virus found
NOD32v2 1.1592 06.11.2006 no virus found
Norman 5.90.21 06.09.2006 no virus found
Panda 9.0.0.4 06.10.2006 Suspicious file
Sophos 4.06.0 06.10.2006 no virus found
Symantec 8.0 06.11.2006 no virus found
TheHacker 5.9.8.157 06.10.2006 no virus found
UNA 1.83 06.09.2006 no virus found
VBA32 3.11.0 06.11.2006 no virus found

Aditional Information
File size: 76318 bytes
MD5: fb89f7a1b6033b6399bdc156f3df542e
SHA1: 05df94038bf37c37b6ed0ff6ace693d769e30fd3


Files available on request (only to developers)

 

...as I noticed there had just been a Virus signature database update, I updated and scanned the files with Nod32 AH. No change.

 

Oh, lookie, here's one detected by noone at all... LOL!

hxxp://www.pornmagpass.com/download/pornmagpass_ver1.107.exe

Complete scanning result of "pornmagpass_ver1.107.exe", received in VirusTotal at 06.11.2006, 14:13:19 (CET).

Antivirus Version Update Result
AntiVir 6.35.0.10 06.10.2006 no virus found
Authentium 4.93.8 06.09.2006 no virus found
Avast 4.7.844.0 06.09.2006 no virus found
AVG 386 06.09.2006 no virus found
BitDefender 7.2 06.11.2006 no virus found
CAT-QuickHeal 8.00 06.10.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 06.09.2006 no virus found
DrWeb 4.33 06.11.2006 no virus found
eTrust-InoculateIT 23.72.33 06.10.2006 no virus found
eTrust-Vet 12.6.2250 06.09.2006 no virus found
Ewido 3.5 06.10.2006 no virus found
Fortinet 2.77.0.0 06.11.2006 suspicious
F-Prot 3.16f 06.09.2006 no virus found
Ikarus 0.2.65.0 06.09.2006 no virus found
Kaspersky 4.0.2.24 06.11.2006 no virus found
McAfee 4781 06.09.2006 no virus found
Microsoft 1.1441 06.11.2006 no virus found
NOD32v2 1.1592 06.11.2006 no virus found
Norman 5.90.21 06.09.2006 no virus found
Panda 9.0.0.4 06.11.2006 Suspicious file
Sophos 4.06.0 06.10.2006 no virus found
Symantec 8.0 06.11.2006 no virus found
TheHacker 5.9.8.157 06.10.2006 no virus found
UNA 1.83 06.09.2006 no virus found
VBA32 3.11.0 06.11.2006 no virus found

Aditional Information
File size: 88070 bytes
MD5: c9c2773545b170074f9d3a7452e5060d
SHA1: ec19033d62683697362323e181caed55acd0389d

 

I've seen it before but you were faster posting the scanning log. Files sent anyway. Hope NOD32 will react soon.

 

Quick Heal thinks it's suspicous ... But then again, it thinks all files are suspicious if they are runtime packed.. bah!

 

They should actually be detected upon extraction, we're just looking into why archives are not detected.

 

I wonder if this has anything to do with the FSG packing.

 

Quoting: