Haven't seen a Zlob link for a few weeks

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Until tonight anyway.

hxxp://xxx.activexmediasource.com/download/setupmedia.1645.exe

Virus total has two vendors ID it, two others 'suspicious'

AntiVir    7.3.0.26  DR/Zlob.Gen
BitDefender 7.2  Trojan.Downloader.Zlob.AKJ
eSafe  7.0.14.0  suspicious Trojan/Worm
Fortinet  2.82.0.0  suspicious


Re: Haven't seen a Zlob link for a few weeks


| Until tonight anyway.
|
| activexmediasource.com
|

Thanx.  That's a new one.

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: http://www.estdomains.com

Domain Name: ACTIVEXMEDIASOURCE.COM

Registrant:
    vl ltd
    Von Linstow        (wm@sitekeymaker.com)
    Dalbergsgade 7
    Viborg
    null,8800
    DK
    Tel. +045.26881927

Creation Date: 17-Jan-2007
Expiration Date: 17-Jan-2008



So is this one...


Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: http://www.estdomains.com

Domain Name: VIDEOACTIVEXSOFTWARE.COM

Registrant:
    AXV
    Ase Traving        (at@activexvideo.com)
    Figenvej 125
    Nustved
    null,4700
    DK
    Tel. +045.26468496

Creation Date: 17-Jan-2007
Expiration Date: 17-Jan-2008



videoactivexsoftware.com

[quote]Complete scanning result of "setupvax.exe", processed in VirusTotal at
01/20/2007 05:11:22
(CET).

[ file data ]
* name: setupvax.exe
* size: 60720
* md5.: 759b8fb8b9f0ede2f0689b7eec750a68
* sha1: ba9bd46ccefe625080eff11994c8805a93753f46

[ scan result ]
AntiVir 7.3.0.26/20070120 found [DR/Zlob.Gen]
BitDefender 7.2/20070120 found [Trojan.Zlob.IN]
eSafe 7.0.14.0/20070120 found [suspicious Trojan/Worm]
Fortinet 2.82.0.0/20070119 found [suspicious]
Prevx1 V2/20070120 found [Malicious]

[ notes ]
packers: UPX
packers: UPX, BINARYRES, BINARYRES
packers: UPX
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=bca071748737


Right now there are MORE DNSChanger sites than ZLob installer sites.  All owned
by the same
group and all registered through ESTDOMAINS INC

NOTE:  The email addresses of the registered owners of the sites point to OTHER
sites as
well.

I have quite an extensive list of both active and closed sites.  Email me and
I'll provide
it to you.  I don't want to post it publicly.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: Haven't seen a Zlob link for a few weeks

On Sat, 20 Jan 2007 04:32:58 GMT, "David H. Lipman"


Quoted text here. Click to load it

Here's a vt result on the file that's now up there:
******************************************
Complete scanning result of "setupmedia.1645.exe", received in
VirusTotal at 01.20.2007, 12:07:54 (CET).

Antivirus    Version    Update    Result
AntiVir    7.3.0.26    01.20.2007    DR/Zlob.Gen
Authentium    4.93.8    01.20.2007    no virus found
Avast    4.7.936.0    01.18.2007    no virus found
AVG    386    01.19.2007    no virus found
BitDefender    7.2    01.20.2007    no virus found
CAT-QuickHeal    9.00    01.20.2007    no virus found
ClamAV    devel-20060426    01.20.2007    no virus found
DrWeb    4.33    01.20.2007    no virus found
eSafe    7.0.14.0    01.20.2007    suspicious Trojan/Worm
eTrust-InoculateIT    23.73.118    01.20.2007    no virus found
eTrust-Vet    30.3.3336    01.19.2007    no virus found
Ewido    4.0    01.19.2007    no virus found
Fortinet    2.82.0.0    01.20.2007    suspicious
F-Prot    3.16f    01.20.2007    no virus found
F-Prot4    4.2.1.29    01.19.2007    no virus found
Ikarus    T3.1.0.27    01.09.2007    no virus found
Kaspersky    4.0.2.24    01.20.2007    no virus found
McAfee    4943    01.19.2007    no virus found
Microsoft    1.1904    01.20.2007    no virus found
NOD32v2    1992    01.20.2007    no virus found
Norman    5.80.02    01.19.2007    no virus found
Panda    9.0.0.4    01.20.2007    no virus found
Prevx1    V2    01.20.2007    no virus found
Sophos    4.13.0    01.20.2007    no virus found
Sunbelt    2.2.907.0    01.12.2007    no virus found
TheHacker    6.0.3.151    01.19.2007    no virus found
UNA    1.83    01.19.2007    no virus found
VBA32    3.11.2    01.19.2007    no virus found
VirusBuster    4.3.19:9    01.20.2007    no virus found

Aditional Information
File size: 60745 bytes
MD5: a4641aea1f9e2e0e46ecaae7abaa801c
SHA1: 911d642c1c0d9d21ae872361d71e497c9b33b947
packers: UPX
packers: UPX, BINARYRES, BINARYRES
packers: UPX
******************************
Looks like another case of musical chairs. Note it's now a different
file and Bit Defender doesn't alert.

Art
http://home.epix.net/~artnpeg

Re: Haven't seen a Zlob link for a few weeks


| On Sat, 20 Jan 2007 04:32:58 GMT, "David H. Lipman"
|
Quoted text here. Click to load it
|
| Here's a vt result on the file that's now up there:
| ******************************************
| Complete scanning result of "setupmedia.1645.exe", received in
| VirusTotal at 01.20.2007, 12:07:54 (CET).
|
| Antivirus Version Update Result
| AntiVir 7.3.0.26 01.20.2007 DR/Zlob.Gen
| Authentium 4.93.8 01.20.2007 no virus found
| Avast 4.7.936.0 01.18.2007 no virus found
| AVG 386 01.19.2007 no virus found
| BitDefender 7.2 01.20.2007 no virus found
| CAT-QuickHeal 9.00 01.20.2007 no virus found
| ClamAV devel-20060426 01.20.2007 no virus found
| DrWeb 4.33 01.20.2007 no virus found
| eSafe 7.0.14.0 01.20.2007 suspicious Trojan/Worm
| eTrust-InoculateIT 23.73.118 01.20.2007 no virus found
| eTrust-Vet 30.3.3336 01.19.2007 no virus found
| Ewido 4.0 01.19.2007 no virus found
| Fortinet 2.82.0.0 01.20.2007 suspicious
| F-Prot 3.16f 01.20.2007 no virus found
| F-Prot4 4.2.1.29 01.19.2007 no virus found
| Ikarus T3.1.0.27 01.09.2007 no virus found
| Kaspersky 4.0.2.24 01.20.2007 no virus found
| McAfee 4943 01.19.2007 no virus found
| Microsoft 1.1904 01.20.2007 no virus found
| NOD32v2 1992 01.20.2007 no virus found
| Norman 5.80.02 01.19.2007 no virus found
| Panda 9.0.0.4 01.20.2007 no virus found
| Prevx1 V2 01.20.2007 no virus found
| Sophos 4.13.0 01.20.2007 no virus found
| Sunbelt 2.2.907.0 01.12.2007 no virus found
| TheHacker 6.0.3.151 01.19.2007 no virus found
| UNA 1.83 01.19.2007 no virus found
| VBA32 3.11.2 01.19.2007 no virus found
| VirusBuster 4.3.19:9 01.20.2007 no virus found
|
| Aditional Information
| File size: 60745 bytes
| MD5: a4641aea1f9e2e0e46ecaae7abaa801c
| SHA1: 911d642c1c0d9d21ae872361d71e497c9b33b947
| packers: UPX
| packers: UPX, BINARYRES, BINARYRES
| packers: UPX
| ******************************
| Looks like another case of musical chairs. Note it's now a different
| file and Bit Defender doesn't alert.
|
| Art
| http://home.epix.net/~artnpeg


That's been the motive of these guys.  They are generating new ZLob variants on
an almost
daily basis.  They are creating new web sites all the time.  It is hard keeping
up with them
!

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: Haven't seen a Zlob link for a few weeks

"David H. Lipman" wrote:

Quoted text here. Click to load it

What is this BINARYRES packer? I can't find any description of it --
the only hits are from Virustotal scans.

Perhaps it's not an exe packer, but just indicates unusual resource
blocks in the file.



Re: Haven't seen a Zlob link for a few weeks


| "David H. Lipman" wrote:
|
Quoted text here. Click to load it
|
| What is this BINARYRES packer? I can't find any description of it --
| the only hits are from Virustotal scans.
|
| Perhaps it's not an exe packer, but just indicates unusual resource
| blocks in the file.
|

Good question.  I'll ask around.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: Haven't seen a Zlob link for a few weeks


| "David H. Lipman" wrote:

Quoted text here. Click to load it

| What is this BINARYRES packer? I can't find any description of it --
| the only hits are from Virustotal scans.

| Perhaps it's not an exe packer, but just indicates unusual resource
| blocks in the file.


This is what I got back...

"Usually binaryes means it contains embedded file(s)"

and...

"DrWeb is using the term BINARYRES ...for Embeded files... in general, for every
exe or
dll that contains other files."

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: Haven't seen a Zlob link for a few weeks

"David H. Lipman" wrote:

Quoted text here. Click to load it


Thanks. I suspected it wasn't the name of a particular packer.



Re: Haven't seen a Zlob link for a few weeks

On this special day, Duh_OZ wrote :

Quoted text here. Click to load it


I don't know, if they are from the same source, but there is some
similar spam targeting German recipients, too.

http://www.heise.de/bilder/84000/0/1

If you click on one of the XXX-rated pictures on the page, in order to
see the video, a popup asks you to install a DivX plugin and a Flash
plugin, both of which are not recognized by most AV scanners.

http://www.heise.de/bilder/84000/1/1
http://www.heise.de/bilder/84000/2/1


Gabriele Neukam

Gabriele.Spamfighter.Neukam@t-online.de

--
Antenagenes, average skellimancer, lvl91 SP Patriarch, wearing a SOJ!



Re: Haven't seen a Zlob link for a few weeks


Gabriele Neukam wrote:
Quoted text here. Click to load it
Got the link off rec.gambling.poker and see the one you mention was out
there also (posted yesterday).  Tried the three (the two DivX and the
one flash) files and just VBA "flagged it".


Re: Haven't seen a Zlob link for a few weeks


Quoted text here. Click to load it
============
Site is still up, file still changing.

Latest:
AntiVir    7.3.0.26     01.23.2007  DR/Zlob.Gen
BitDefender7.2      01.23.2007 Trojan.Downloader.Zlob.AJW
DrWeb 4.33         01.23.2007  Trojan.Popuper
eSafe  7.0.14.0    01.23.2007  suspicious Trojan/Worm
Fortinet  2.82.0.0  01.23.2007 suspicious
Kaspersky  4.0.2.24  01.23.2007  Trojan-Downloader.Win32.Zlob.bku
NOD32v2    2000  01.23.2007   Win32/TrojanDownloader.Zlob.APP
Norman  5.80.02  01.23.2007   Zlob.ACPG
UNA   1.83  01.23.2007  TrojanDownloader.Win32.Zlob.FBAD
VBA32  3.11.2  01.23.2007  MalwareScope.Downloader.Zlob.1


Re: Haven't seen a Zlob link for a few weeks



| Site is still up, file still changing.
|
| Latest:
| AntiVir 7.3.0.26     01.23.2007  DR/Zlob.Gen
| BitDefender7.2      01.23.2007 Trojan.Downloader.Zlob.AJW
| DrWeb 4.33         01.23.2007  Trojan.Popuper
| eSafe  7.0.14.0    01.23.2007  suspicious Trojan/Worm
| Fortinet  2.82.0.0  01.23.2007 suspicious
| Kaspersky  4.0.2.24  01.23.2007  Trojan-Downloader.Win32.Zlob.bku
| NOD32v2 2000  01.23.2007   Win32/TrojanDownloader.Zlob.APP
| Norman  5.80.02  01.23.2007   Zlob.ACPG
| UNA   1.83  01.23.2007  TrojanDownloader.Win32.Zlob.FBAD
| VBA32  3.11.2  01.23.2007  MalwareScope.Downloader.Zlob.1

My offer still stands.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Site Timeline