Vundo in new crypt

Discussion in 'ESET NOD32 Antivirus' started by vrshntr, Dec 20, 2008.

Thread Status:
Not open for further replies.
  1. vrshntr

    vrshntr Registered Member

    Joined:
    Dec 20, 2008
    Posts:
    4
    Hello!

    i found Vundo.trojan with new kind of crypt/loader code;
    current Nod32 not detects it as malware..
    also i submitted it directly by Nod32, but yet there is not update for detection;
    While at "Virustotal" there are detections by other AVs.

    New year Holliday vacations??

    i attached malware files zipped>Base64 encoded

    LowWaterMark: malware attachments removed in keeping with forum TOS. Don't upload or link to malware files.
     
    Last edited by a moderator: Dec 20, 2008
  2. vrshntr

    vrshntr Registered Member

    Joined:
    Dec 20, 2008
    Posts:
    4
    ok, attachments are removed.
    well, lets try so:

    ~ links removed ~
     
    Last edited by a moderator: Dec 20, 2008
  3. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    I've removed those links, too.

    We don't upload or link to malware here in the public forums, that includes malware search/sharing sites.

    Don't worry, Eset can access these samples if they need to.
     
  4. Don johnson

    Don johnson Registered Member

    Joined:
    Jun 14, 2007
    Posts:
    77
    You can send the virus sample to samples@eset.sk with "Virtumonde"in the subject.
     
  5. vrshntr

    vrshntr Registered Member

    Joined:
    Dec 20, 2008
    Posts:
    4
    just want to say:
    i fail to send them via GMail.. that is not so easy send trojans via mail.
    OK!?
    BYE!
     
  6. PaulB2005

    PaulB2005 Registered Member

    Joined:
    Apr 19, 2005
    Posts:
    525
    Just zip the files up in a zip file and password protect the file with the password "infected". Then you should be able to send it...
     
  7. Kayracc

    Kayracc Registered Member

    Joined:
    Jul 5, 2008
    Posts:
    96

    this won't work

    you either need to rename the file extension from .exe to something else, like .txt or a program that can encrypt file names such as winrar or 7zip

    gmail blocks .exes as attachments, so if it can see it is .exe, it blocks it
     
  8. PaulB2005

    PaulB2005 Registered Member

    Joined:
    Apr 19, 2005
    Posts:
    525
    Yes it will work.

    A ZIP file is a ZIP file - not an EXE file even if it contains a EXE file. Plus password protecting the ZIP file encrypts the contents so GMail wouldn't know if the contents is a EXE, DOC, JPG or TXT file.

    That's the whole point of zipping the file and password protecting it.

    How else do you think people send samples in? Have a read through a few posts and you'll see this is the way Eset themselves ask you to send the file in.
     
  9. CivilTaz

    CivilTaz Registered Member

    Joined:
    Nov 19, 2008
    Posts:
    146
    Are u sure?, Why dont u try it before u post something. You can't send executable files in Gmail when they are inside a ZIP file, even if the file is encrypted with a password. I don't know why, but the fact is that u can't. Anyway, u can send them in RAR files.
     
  10. PaulB2005

    PaulB2005 Registered Member

    Joined:
    Apr 19, 2005
    Posts:
    525
    No. You're right.

    http://mail.google.com/support/bin/answer.py?answer=6590&topic=12842

    Even if they are encrypted??

    Ah, found the answer to that one then....


    So why is RAR considered OK then?

    I'm sure i used to get exe file viruses from GMail accounts in the past, but perhaps that was before this scanner was put in place.

    Sorry and apols all round....
     
  11. jmc777

    jmc777 Registered Member

    Joined:
    Aug 6, 2004
    Posts:
    244

    It has an 'Encrypt file names' option.
     
  12. PaulB2005

    PaulB2005 Registered Member

    Joined:
    Apr 19, 2005
    Posts:
    525
    Ah, right. Thanks.
     
  13. Kayracc

    Kayracc Registered Member

    Joined:
    Jul 5, 2008
    Posts:
    96

    7zip also works with .7z format :)
     
  14. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    The writes of the ZLob trojan sometimes release several to half a dozen new variants per day!

    Cleaning systems hit with this requires a shotgun approach of several good tools. I've been using NOD32 and AntiVir as the antivirus products I use in cleaning, combined with other malware removal tools such as MalwareBytes, SuperAntispyware, and Spybot.

    Also I've been replacing traditional NAT routers at my clients with UTM appliances, the one I've been building and deploying is Untangle. It has a strong spyware blocker, as well as additional antivirus scanning, which I've noticed really has helped PCs behind it maintain more problem free.

    For business networks, IMO, traditional NAT routers are not enough anymore, UTM appliances seem to help with that additional layer of protection for the network.
     
  15. vrshntr

    vrshntr Registered Member

    Joined:
    Dec 20, 2008
    Posts:
    4
    OK, detection now DONE!
     
Thread Status:
Not open for further replies.