"ZeuS/ZBot" not detected by NOD32 ?

Discussion in 'ESET NOD32 Antivirus' started by wolliballa, Feb 1, 2013.

Thread Status:
Not open for further replies.
  1. wolliballa

    wolliballa Registered Member

    Joined:
    Nov 9, 2011
    Posts:
    90
    Location:
    Germany
    A customer of mine received complaint from his ISP that his network ( <> 5 clients, all running NOD32 AV (various versions from 4.0 to 5.) is proven to be infected by "ZeuS/ZBot" (referencing external IP and time stamp )
    Could it indeed be that one of the clients got infected and has not been protected against this 'old' malware ?
     
  2. manak

    manak Registered Member

    Joined:
    Aug 12, 2012
    Posts:
    78
    There are many new variants every day. Variations of Zeus Trojans are often missed by NOD32 AV (other anti-virus products too)
     
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    The variants I often come across are usually detected by ESET only :) It's a matter of fact that no security solution protects against 100% of threats. If you suspect that a computer is infected, create a SysInspector log (via the Start menu) and submit it to ESET as per the instructions here.
    Another thing is that the antivirus product must not be misconfigured in order to detect threats. I've run into cases when users had the Windows folder excluded from scanning and were wondering why ESET didn't detect any threat.
     
  4. wolliballa

    wolliballa Registered Member

    Joined:
    Nov 9, 2011
    Posts:
    90
    Location:
    Germany
    I' not yet fully through the line, but malwarebytes at least reported one infection on one client (registry manipulation PUM.Hijack.TaskManager )(as far as possible all clients are also scanned via a standalone unixbased avira / bitdefender combination, 3 error free so far)
    No exclusions, all definitions up-to date, NOD32 between 4.0 and 5.0.

    Update: None of the clients showed any infections over the last 8 weeks in their logs.
     
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    According to what you have written, it looks like there's no malicious file on the disk or it's not detected by any of the security solutions you've tried. I'd suggest submitting a SysInspector log to ESET for analysis. You can also try running ESET Rogue Application Remover (in normal mode with Internet connection).
     
  6. wolliballa

    wolliballa Registered Member

    Joined:
    Nov 9, 2011
    Posts:
    90
    Location:
    Germany
    We now have one client which is suspect to be the cause.
    Malwarebytes scan:
    Infizierte Dateien: 4
    C:\Users\Lisa\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\57\249f56b9-14132c71 (Trojan.Agent.ED) -> Erfolgreich gelöscht und in Quarantäne gestellt.
    C:\Users\Lisa\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\6ddeaafa-2d9b04f0 (Trojan.FakeMS) -> Erfolgreich gelöscht und in Quarantäne gestellt.
    C:\Users\Lisa\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\6ddeaafa-4c42c25f (Trojan.FakeMS) -> Erfolgreich gelöscht und in Quarantäne gestellt.
    C:\Users\Lisa\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\6ddeaafa-7a5a75e0 (Trojan.FakeMS) -> Erfolgreich gelöscht und in Quarantäne gestellt.

    (Ende)

    For NOD32 already previously quarantined files see screenshot.
    attached sysinspector .log actually is a .zip.file !!

    Can we assume that machine now is clean? Updated to Version 6.0, no other issues found so far
     

    Attached Files:

Thread Status:
Not open for further replies.