Zlob Trojan - Newbie on group - Help please!
in [Anti-Virus]
|
From: Virus Guy on 14 Apr 2006 10:15 "David H. Lipman" wrote: > What you posted, "mediacodec-v4.143.exe", was another in a series > new variants of the Zlob Trojan. > Kaspersky 4.0.2.24 04.14.2006 Trojan-Downloader.Win32.Zlob.li I uploaded that file to virustotal - but VT has been acting funny lately (for me anyways). After upload, I got a window telling me it would send the results via e-mail. To hell with that. What's up with VT these days? I then uploaded it to jotti, where NOTHING was found across the board, including Kaspersky. Jotti does give a nice bit of info about the packers that are used (UPX, PE_PATCH, UPACK in this case) and based on that it does declare the file as suspicious (that, and the fact that sandbox emulation took a long time).
From: David H. Lipman on 14 Apr 2006 10:43 From: "Virus Guy" <Virus(a)Guy.com> | | I uploaded that file to virustotal - but VT has been acting funny | lately (for me anyways). After upload, I got a window telling me it | would send the results via e-mail. To hell with that. What's up with | VT these days? | | I then uploaded it to jotti, where NOTHING was found across the board, | including Kaspersky. | | Jotti does give a nice bit of info about the packers that are used | (UPX, PE_PATCH, UPACK in this case) and based on that it does declare | the file as suspicious (that, and the fact that sandbox emulation took | a long time). Yeah, I had problems with the regular web page. However the Beta version of the new web page works fine but the address is not for public consumption. As an alternate... You can also submit a suspect, one at a time, via the following email URL... mailto:scan(a)virustotal.com?subject=SCAN DrWeb 4.33 04.14.2006 Trojan.Favadd Fortinet 2.71.0.0 04.14.2006 suspicious Ikarus 0.2.59.0 04.14.2006 Trojan.Favadd Kaspersky 4.0.2.24 04.14.2006 Trojan-Downloader.Win32.Zlob.li NOD32v2 1.1489 04.14.2006 Win32/TrojanDownloader.Zlob.LI Panda 9.0.0.4 04.14.2006 Suspicious file -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm
From: Virus Guy on 14 Apr 2006 11:09 "David H. Lipman" wrote: > Yeah, I had problems with the regular web page. However the Beta > version of the new web page works fine but the address is not for > public consumption. As an alternate... Ok. I just unpacked mediacodec-v4.143.exe with upx. Original was something like 70kb. Unpacked version is 83,232 bytes. Looking at the file, it is using the Nullsoft installer (Nullsoft Install System v2.16). Doesn't seem to be any "unpacker" for that type of archive. Lots of internal references to "Thawte" certificates, as well as a reference to "www.media-codec.com" and "www.kas.net.au". I went back to VT and submitted the unpacked version. I got the "AV scanning has stopped, but we'll send you the results via e-mail so enter your e-mail address here". I entered an address and hit "ok" (or what-ever). I immediately got the usual scan-results display page(?!). Again, nothing found across the board. Only Fortinet said "suspicious". Why am I seeing nothing, but you're seeing Zlob for this file?
From: David H. Lipman on 14 Apr 2006 14:22 From: "Virus Guy" <Virus(a)Guy.com> | | Ok. | | I just unpacked mediacodec-v4.143.exe with upx. Original was | something like 70kb. Unpacked version is 83,232 bytes. | | Looking at the file, it is using the Nullsoft installer (Nullsoft | Install System v2.16). Doesn't seem to be any "unpacker" for that | type of archive. Lots of internal references to "Thawte" | certificates, as well as a reference to "www.media-codec.com" and | "www.kas.net.au". | | I went back to VT and submitted the unpacked version. I got the "AV | scanning has stopped, but we'll send you the results via e-mail so | enter your e-mail address here". I entered an address and hit "ok" | (or what-ever). I immediately got the usual scan-results display | page(?!). | | Again, nothing found across the board. Only Fortinet said | "suspicious". | | Why am I seeing nothing, but you're seeing Zlob for this file? I don't know. However I know that this use of so-called CODECS is the recent ploy to get people infected with the ZLob Trojan which will in turn get the SmitFraud Trojan family installed; SpyAxe, SpyStriker, SpywareQuake, etc. Many new variants are being deployed on a regular bassis. -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm
From: pOTRice on 17 Apr 2006 09:56 I have now carried out the procedures you recommended and here is the report . . Virus Scan Report File -------------------------------------------------------------------------------- Virus Scan Information -------------------------------------------------------------------------------- McAfee VirusScan for Win32 v4.40.0 Copyright (c) 1992-2004 Networks Associates Technology Inc. All rights reserved. (408) 988-3832 LICENSED COPY - Sep 23 2004 Scan engine v4.4.00 for Win32. Virus data file v4741 created Apr 14 2006 Scanning for 186744 viruses, trojans and variants. -------------------------------------------------------------------------------- Virus Scan Results -------------------------------------------------------------------------------- 04/14/2006 23:30:59 Options: /ADL /UNZIP /WINMEM /SUB /ANALYZE /PANALYZE /STREAMS /CLEAN /ALL /DEL /PROGRAM /EXCLUDE C:\MCAFEE\EXCLIST.TXT /HTML C:\MCAFEE\NORMAL_SCANREPORT.HTML Scanning C: [Main] Scanning C:\*.* C:\Documents and Settings\Administrator\My Documents\Installers\USB under DOS\LeakTest.exe ... Found potentially unwanted program LeakTest. The file or process has been deleted. C:\Documents and Settings\Administrator\My Documents\Installers\USB under DOS\xpkeys.zip\KEYFIND.EXE\OFFICEKEY.EXE ... Found potentially unwanted program Generic PUP.a. C:\Documents and Settings\Administrator\My Documents\Installers\USB under DOS\zerocmos.zip\KILLCMOS.COM ... Found the KillCMOS.a trojan !!! C:\Documents and Settings\Administrator\My Documents\Installers\USB under DOS\zerocmos.zip\DUMPCMOS.COM ... Found potentially unwanted program KillCMOS.h. Summary report on C:\*.* File(s) Total files: ........... 55422 Clean: ................. 55151 Possibly Infected: ..... 1 Cleaned: ............... 0 Deleted: ............... 1 Non-critical Error(s): 2 Master Boot Record(s): ......... 1 Possibly Infected: ..... 0 Boot Sector(s): ................ 1 Possibly Infected: ..... 0 Scanning D: [BACKUP] Scanning D:\*.* D:\060205_256A\LeakTest.exe ... Found potentially unwanted program LeakTest. The file or process has been deleted. Summary report on D:\*.* File(s) Total files: ........... 4544 Clean: ................. 4538 Possibly Infected: ..... 0 Cleaned: ............... 0 Deleted: ............... 1 Non-critical Error(s): 1 Master Boot Record(s): ......... 1 Possibly Infected: ..... 0 Boot Sector(s): ................ 1 Possibly Infected: ..... 0 Time: 00:31.49 I was disappointed that this did not result in the deletion of the offending EXE - dfrgsrv. However, it did get rid of the Registry key. I noticed that it deleted LeakTest which I would have thought should have been recognised as the well known firewall test program from the "Shields Up" site. Is this another example of rivalry between the various Anti-Virus tool writers? I remember that Norton insisted that my AVG Pro-protected PC had no existing virus protection! Anyway - panic over - many thanks for all your help - I'll be more carefull next time. It's almost got to the point where you need a 'clone' PC to experiment with before risking the security of your 'real' PC. pOTRice On Fri, 14 Apr 2006 12:24:17 GMT, "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote: >From: "pOTRice" <potriceReMoVe(a)tHiSboltblue.com> > >| Sorry to be a pain - I found your comment about "LIVE pc" a bit >| ambiguous . . >| >| Have I done all that is needed to rid my PC of Zlob (removing Reg >| entry and the EXE it triggers) or do I still need to run the >| procedures you recommended? >| >| Thanks for your tip about obfuscating the URL - I'm so paranoid about >| my own safety I forgot about the danger I might cause to others. >| > >What I mean by a live PC is booting ther affected PC and then running the utilities on that >PC. >Basically, running the PC "live".
First
|
Prev
|
Next
|
Last
Pages: 1 2 3 4 Prev: AVG Uninstall/Install Problem Next: What is this, (TR/Dldr.small.cml.7) |