Virus Found – Possible Threat “Trojan.Zlob” Undetected in many front line scanner

Once again I have stumbled upon a Possible threat (Trajan Downloader) which is not detected by big guns like Kaspersky / NOD32 (v2 and Beta v3) / Norton / BitDiffender.

File run.exe received on 10.29.2007 11:56:59 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2007.10.27.0 2007.10.29 -
AntiVir 7.6.0.30 2007.10.29 TR/Dldr.Zlob.dwf
Authentium 4.93.8 2007.10.28 -
Avast 4.7.1074.0 2007.10.28 Win32:Zlob-AFG
AVG 7.5.0.503 2007.10.28 Downloader.Zlob
BitDefender 7.2 2007.10.29 -
CAT-QuickHeal 9.00 2007.10.26 TrojanDownloader.Zlob.gen
ClamAV 0.91.2 2007.10.29 Trojan.Dropper-2557
DrWeb 4.44.0.09170 2007.10.29 -
eSafe 7.0.15.0 2007.10.28 -
eTrust-Vet 31.2.5250 2007.10.29 -
Ewido 4.0 2007.10.28 -
FileAdvisor 1 2007.10.29 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.3.2.48 2007.10.29 -
F-Secure 6.70.13030.0 2007.10.29 -
Ikarus T3.1.1.12 2007.10.29 -
Kaspersky 7.0.0.125 2007.10.29 -
McAfee 5150 2007.10.26 -
Microsoft 1.2908 2007.10.29 -
NOD32v2 2622 2007.10.28 -
Norman 5.80.02 2007.10.26 -
Panda 9.0.0.4 2007.10.28 -
Prevx1 V2 2007.10.29 -
Rising 19.47.02.00 2007.10.29 Trojan.DL.Win32.Zlob.def
Sophos 4.23.0 2007.10.29 Troj/Zlobar-Fam
Sunbelt 2.2.907.0 2007.10.27 -
Symantec 10 2007.10.29 -
TheHacker 6.2.9.110 2007.10.27 -
VBA32 3.12.2.4 2007.10.28 -
VirusBuster 4.3.26:9 2007.10.28 Trojan.DR.Zlob.Gen!Pac.32
Webwasher-Gateway 6.6.1 2007.10.29 Trojan.Dldr.Zlob.dwf
 
Additional information
File size: 102415 bytes
MD5: aa6f7f7a2c7ee6b0981b9c0430370458
SHA1: 720f1122e31665c445a8a32d3f4dee1513054e2d

I am able to attach the file at Yahoo Mail which suggests that Norton scanner fails to detect the threat.

Virus

I am sending the infected files to NOD32 and Kaspersky as only this 2 allows non customers to send sample. In case of norton, there no service in which a non customer can send virus sample !!!

I will update the post when I get any reply from NOD32 or Kaspersky…

Update – (Oct 29, 2007 / IST 19:33 hours)

Its confirm from Kaspersky LAB, they have replied,

Hello.

New malicious software was found in the attached file. Trojan-Downloader.Win32.Zlob.dzz It’s detection will be included in the next update. Thank you for your help.

Please quote all when answering. Do not forget to include you registration data.
—————–
Regards,
Maslennikov Denis
Virus Analyst, Kaspersky Lab.

Ph.: xxxxxx
E-mail: xxxxxx
http://www.kaspersky.com   http://www.viruslist.com

Kaspersky is really quick and fast to act on the possible threat issue, however I am yet to receive any reply from NOD32 (ESET) !!!

Choto Cheeta on October 29, 2007 | Filed Under Computer, Security Software

11 Comments

John  on October 29th, 2007

The AVG is the best among them all ??

anandk  on October 29th, 2007

really surprising to see ‘big guns’ failing…

ravi  on October 29th, 2007

Top paid AV fails………
surprised!!!!

Utsav  on October 29th, 2007

lollzzzz.

Piyush  on October 31st, 2007

Great…………….

Big guns are like….

Piyush  on October 31st, 2007

HO come u scan with alll the AV simltenously :O

nikolaj  on December 23rd, 2007

thnx for the news

ValanBose  on April 15th, 2008

Trojan.Dropper – Its a virus,that could creat a base file under system32 location,whenever computer restarts the file will change and it drop the file in the same location.

ValanBose - Elite Team Vss  on April 15th, 2008

Trojan Zlob\Trojan.Downloader :-
===============================
It may come in an email asking you to check out a movie file or it may seek to push its way to your computer from malicious websites. In both cases a ‘codec’ will be offered in the guise of helping you watch a streaming video, but instead of showing the movie it will install a stealthy Trojan Downloader in your computer. That is Zlob Trojan.

layal  on April 24th, 2008

hi

ValanBose - Elite Team Vss  on May 14th, 2008

* Issue :-
Getting lot of porn websites poping up.
Getting lot of spyware popups.
Does your computer infected with Trojan.Vundo.

* Steps to Fix :-
* Start your comp in safe mode with networking.
* Go to the following location and look the following files if find those files Delete it..

C:\WINDOWS\pskt.ini
C:\WINDOWS\SYSTEM32\DNnVyyay.ini
C:\WINDOWS\SYSTEM32\DNnVyyay.ini2
C:\WINDOWS\system32\lTCfPqru.ini
C:\WINDOWS\SYSTEM32\lTCfPqru.ini2
C:\Documents and Settings\Alan Borson\Application Data\CURITY~1
C:\Documents and Settings\Alan Borson\Application Data\SMBOLS~1
C:\Documents and Settings\Alan Borson\Application Data\SSTEM~1
C:\Documents and Settings\Alan Borson\Application Data\WinIFixer.com
C:\Documents and Settings\Alan Borson\Application Data\WinTouch
C:\Documents and Settings\Alan Borson\Application Data\WinTouch\wintouch.cfg
C:\Documents and Settings\Alan Borson\My Documents\CROSOF~1.NET
C:\Documents and Settings\Alan Borson\My Documents\PPPATC~1
C:\Documents and Settings\Alan Borson\My Documents\PPPATC~1\?ppPatch\
C:\Documents and Settings\Alan Borson\My Documents\PPPATC~1\ati2evxx.exe
C:\Documents and Settings\Alan Borson\My Documents\STEM~1
C:\Documents and Settings\Alan Borson\My Documents\WNSXS~1
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\All Users\Application Data\Rabio
C:\Program Files\JavaCore
C:\Program Files\JavaCore\JavaCore.exe
C:\Program Files\mbols~1
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\Temporary
C:\Program Files\webhancer
C:\Program Files\webhancer\Programs\webhdll.dll
C:\Program Files\webhancer\Programs\whinstaller.exe
C:\WINDOWS\123messenger.per
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\apphelp32.dll
C:\WINDOWS\asferror32.dll
C:\WINDOWS\asycfilt32.dll
C:\WINDOWS\athprxy32.dll
C:\WINDOWS\ati2dvaa32.dll
C:\WINDOWS\ati2dvag32.dll
C:\WINDOWS\audiosrv32.dll
C:\WINDOWS\autodisc32.dll
C:\WINDOWS\avifile32.dll
C:\WINDOWS\avisynthex32.dll
C:\WINDOWS\aviwrap32.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\browserad.dll
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\changeurl_30.dll
C:\WINDOWS\cookies.ini
C:\WINDOWS\default.htm
C:\WINDOWS\didduid.ini
C:\WINDOWS\licencia.txt
C:\WINDOWS\megavid.cdt
C:\WINDOWS\msa64chk.dll
C:\WINDOWS\msapasrc.dll
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\ntnut.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\saiemod.dll
C:\WINDOWS\secure32.html
C:\WINDOWS\shdocpe.dll
C:\WINDOWS\shdocpl.dll
C:\WINDOWS\start.exe
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\SYSTEM32\bedcajcc.ini
C:\WINDOWS\system32\ccjacdeb.dll
C:\WINDOWS\SYSTEM32\DNnVyyay.ini
C:\WINDOWS\SYSTEM32\DNnVyyay.ini2
C:\WINDOWS\system32\fdwpscux.ini
C:\WINDOWS\system32\iqhhytgm.ini
C:\WINDOWS\SYSTEM32\lTCfPqru.ini
C:\WINDOWS\SYSTEM32\lTCfPqru.ini2
C:\WINDOWS\system32\mgtyhhqi.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\tvyknjtf.ini
C:\WINDOWS\system32\xucspwdf.dll
C:\WINDOWS\telefonos.txt
C:\WINDOWS\textos.txt
C:\WINDOWS\voiceip.dll
C:\WINDOWS\Web\default.htt
C:\WINDOWS\winsb.dll
“C:\WINDOWS\system32\yaywuuVn.dll”
C:\WINDOWS\system32\urqPfCTl.dll
C:\WINDOWS\system32\yaywuuVn.dll
C:\WINDOWS\system32\whameprt.dll
* yaywuuVn.dll — This file could be winlogon entry.
* So start > run> type regedit
* Take a backup of registry.
*HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify — check for that file or folder if you find so delete it.
* Search the file under registry also and delete it.
* Now you can look for
c:\program files\…..(any unwanted programs delete it).
* Now you can delete all Temp files and prefetch.
* Empty the recycle bin.
* Restart the computer in normal mode.
* Now try to access the IE check whether you find any poups.
* I hope you wont get any poups..if so let me Know..
i will guide to run some removal tool to fix it..

ValanBose
Vss Elite.

Leave a Comment