Virus Found - Possible Threat “Trojan.Zlob” Undetected in many front line scanner
Once again I have stumbled upon a Possible threat (Trajan Downloader) which is not detected by big guns like Kaspersky / NOD32 (v2 and Beta v3) / Norton / BitDiffender.
| File run.exe received on 10.29.2007 11:56:59 (CET) | |||
| Antivirus | Version | Last Update | Result |
| AhnLab-V3 | 2007.10.27.0 | 2007.10.29 | - |
| AntiVir | 7.6.0.30 | 2007.10.29 | TR/Dldr.Zlob.dwf |
| Authentium | 4.93.8 | 2007.10.28 | - |
| Avast | 4.7.1074.0 | 2007.10.28 | Win32:Zlob-AFG |
| AVG | 7.5.0.503 | 2007.10.28 | Downloader.Zlob |
| BitDefender | 7.2 | 2007.10.29 | - |
| CAT-QuickHeal | 9.00 | 2007.10.26 | TrojanDownloader.Zlob.gen |
| ClamAV | 0.91.2 | 2007.10.29 | Trojan.Dropper-2557 |
| DrWeb | 4.44.0.09170 | 2007.10.29 | - |
| eSafe | 7.0.15.0 | 2007.10.28 | - |
| eTrust-Vet | 31.2.5250 | 2007.10.29 | - |
| Ewido | 4.0 | 2007.10.28 | - |
| FileAdvisor | 1 | 2007.10.29 | - |
| Fortinet | 3.11.0.0 | 2007.10.19 | - |
| F-Prot | 4.3.2.48 | 2007.10.29 | - |
| F-Secure | 6.70.13030.0 | 2007.10.29 | - |
| Ikarus | T3.1.1.12 | 2007.10.29 | - |
| Kaspersky | 7.0.0.125 | 2007.10.29 | - |
| McAfee | 5150 | 2007.10.26 | - |
| Microsoft | 1.2908 | 2007.10.29 | - |
| NOD32v2 | 2622 | 2007.10.28 | - |
| Norman | 5.80.02 | 2007.10.26 | - |
| Panda | 9.0.0.4 | 2007.10.28 | - |
| Prevx1 | V2 | 2007.10.29 | - |
| Rising | 19.47.02.00 | 2007.10.29 | Trojan.DL.Win32.Zlob.def |
| Sophos | 4.23.0 | 2007.10.29 | Troj/Zlobar-Fam |
| Sunbelt | 2.2.907.0 | 2007.10.27 | - |
| Symantec | 10 | 2007.10.29 | - |
| TheHacker | 6.2.9.110 | 2007.10.27 | - |
| VBA32 | 3.12.2.4 | 2007.10.28 | - |
| VirusBuster | 4.3.26:9 | 2007.10.28 | Trojan.DR.Zlob.Gen!Pac.32 |
| Webwasher-Gateway | 6.6.1 | 2007.10.29 | Trojan.Dldr.Zlob.dwf |
| Additional information | |||
| File size: 102415 bytes | |||
| MD5: aa6f7f7a2c7ee6b0981b9c0430370458 | |||
| SHA1: 720f1122e31665c445a8a32d3f4dee1513054e2d | |||
I am able to attach the file at Yahoo Mail which suggests that Norton scanner fails to detect the threat.
I am sending the infected files to NOD32 and Kaspersky as only this 2 allows non customers to send sample. In case of norton, there no service in which a non customer can send virus sample !!!
I will update the post when I get any reply from NOD32 or Kaspersky…
Update - (Oct 29, 2007 / IST 19:33 hours)
Its confirm from Kaspersky LAB, they have replied,
Hello.
New malicious software was found in the attached file. Trojan-Downloader.Win32.Zlob.dzz It’s detection will be included in the next update. Thank you for your help.
Please quote all when answering. Do not forget to include you registration data.
—————–
Regards,
Maslennikov Denis
Virus Analyst, Kaspersky Lab.Ph.: xxxxxx
E-mail: xxxxxx
http://www.kaspersky.com http://www.viruslist.com
Kaspersky is really quick and fast to act on the possible threat issue, however I am yet to receive any reply from NOD32 (ESET) !!!
John said
am October 29 2007 @ 12:20 pm
The AVG is the best among them all ??
anandk said
am October 29 2007 @ 12:33 pm
really surprising to see ‘big guns’ failing…
ravi said
am October 29 2007 @ 2:04 pm
Top paid AV fails………
surprised!!!!
Utsav said
am October 29 2007 @ 3:44 pm
lollzzzz.
Piyush said
am October 31 2007 @ 9:49 am
Great…………….
Big guns are like….
Piyush said
am October 31 2007 @ 9:50 am
HO come u scan with alll the AV simltenously :O
nikolaj said
am December 23 2007 @ 3:43 pm
thnx for the news
ValanBose said
am April 15 2008 @ 4:39 pm
Trojan.Dropper - Its a virus,that could creat a base file under system32 location,whenever computer restarts the file will change and it drop the file in the same location.
ValanBose - Elite Team Vss said
am April 15 2008 @ 4:45 pm
Trojan Zlob\Trojan.Downloader :-
===============================
It may come in an email asking you to check out a movie file or it may seek to push its way to your computer from malicious websites. In both cases a ‘codec’ will be offered in the guise of helping you watch a streaming video, but instead of showing the movie it will install a stealthy Trojan Downloader in your computer. That is Zlob Trojan.
layal said
am April 24 2008 @ 2:14 pm
hi
ValanBose - Elite Team Vss said
am May 14 2008 @ 7:50 pm
* Issue :-
Getting lot of porn websites poping up.
Getting lot of spyware popups.
Does your computer infected with Trojan.Vundo.
* Steps to Fix :-
* Start your comp in safe mode with networking.
* Go to the following location and look the following files if find those files Delete it..
C:\WINDOWS\pskt.ini
C:\WINDOWS\SYSTEM32\DNnVyyay.ini
C:\WINDOWS\SYSTEM32\DNnVyyay.ini2
C:\WINDOWS\system32\lTCfPqru.ini
C:\WINDOWS\SYSTEM32\lTCfPqru.ini2
C:\Documents and Settings\Alan Borson\Application Data\CURITY~1
C:\Documents and Settings\Alan Borson\Application Data\SMBOLS~1
C:\Documents and Settings\Alan Borson\Application Data\SSTEM~1
C:\Documents and Settings\Alan Borson\Application Data\WinIFixer.com
C:\Documents and Settings\Alan Borson\Application Data\WinTouch
C:\Documents and Settings\Alan Borson\Application Data\WinTouch\wintouch.cfg
C:\Documents and Settings\Alan Borson\My Documents\CROSOF~1.NET
C:\Documents and Settings\Alan Borson\My Documents\PPPATC~1
C:\Documents and Settings\Alan Borson\My Documents\PPPATC~1\?ppPatch\
C:\Documents and Settings\Alan Borson\My Documents\PPPATC~1\ati2evxx.exe
C:\Documents and Settings\Alan Borson\My Documents\STEM~1
C:\Documents and Settings\Alan Borson\My Documents\WNSXS~1
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\All Users\Application Data\Rabio
C:\Program Files\JavaCore
C:\Program Files\JavaCore\JavaCore.exe
C:\Program Files\mbols~1
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\Temporary
C:\Program Files\webhancer
C:\Program Files\webhancer\Programs\webhdll.dll
C:\Program Files\webhancer\Programs\whinstaller.exe
C:\WINDOWS\123messenger.per
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\apphelp32.dll
C:\WINDOWS\asferror32.dll
C:\WINDOWS\asycfilt32.dll
C:\WINDOWS\athprxy32.dll
C:\WINDOWS\ati2dvaa32.dll
C:\WINDOWS\ati2dvag32.dll
C:\WINDOWS\audiosrv32.dll
C:\WINDOWS\autodisc32.dll
C:\WINDOWS\avifile32.dll
C:\WINDOWS\avisynthex32.dll
C:\WINDOWS\aviwrap32.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\browserad.dll
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\changeurl_30.dll
C:\WINDOWS\cookies.ini
C:\WINDOWS\default.htm
C:\WINDOWS\didduid.ini
C:\WINDOWS\licencia.txt
C:\WINDOWS\megavid.cdt
C:\WINDOWS\msa64chk.dll
C:\WINDOWS\msapasrc.dll
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\ntnut.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\saiemod.dll
C:\WINDOWS\secure32.html
C:\WINDOWS\shdocpe.dll
C:\WINDOWS\shdocpl.dll
C:\WINDOWS\start.exe
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\SYSTEM32\bedcajcc.ini
C:\WINDOWS\system32\ccjacdeb.dll
C:\WINDOWS\SYSTEM32\DNnVyyay.ini
C:\WINDOWS\SYSTEM32\DNnVyyay.ini2
C:\WINDOWS\system32\fdwpscux.ini
C:\WINDOWS\system32\iqhhytgm.ini
C:\WINDOWS\SYSTEM32\lTCfPqru.ini
C:\WINDOWS\SYSTEM32\lTCfPqru.ini2
C:\WINDOWS\system32\mgtyhhqi.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\tvyknjtf.ini
C:\WINDOWS\system32\xucspwdf.dll
C:\WINDOWS\telefonos.txt
C:\WINDOWS\textos.txt
C:\WINDOWS\voiceip.dll
C:\WINDOWS\Web\default.htt
C:\WINDOWS\winsb.dll
“C:\WINDOWS\system32\yaywuuVn.dll”
C:\WINDOWS\system32\urqPfCTl.dll
C:\WINDOWS\system32\yaywuuVn.dll
C:\WINDOWS\system32\whameprt.dll
* yaywuuVn.dll — This file could be winlogon entry.
* So start > run> type regedit
* Take a backup of registry.
*HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify — check for that file or folder if you find so delete it.
* Search the file under registry also and delete it.
* Now you can look for
c:\program files\…..(any unwanted programs delete it).
* Now you can delete all Temp files and prefetch.
* Empty the recycle bin.
* Restart the computer in normal mode.
* Now try to access the IE check whether you find any poups.
* I hope you wont get any poups..if so let me Know..
i will guide to run some removal tool to fix it..
ValanBose
Vss Elite.