Haven't seen a Zlob link for a few weeks

[Duh_OZ]

Until tonight anyway.

hxxp://xxx.activexmediasource.com/download/setupmedia.1645.exe

Virus total has two vendors ID it, two others 'suspicious'

AntiVir 7.3.0.26 DR/Zlob.Gen
BitDefender 7.2 Trojan.Downloader.Zlob.AKJ
eSafe 7.0.14.0 suspicious Trojan/Worm
Fortinet 2.82.0.0 suspicious

 

[David H. Lipman]

From: "Duh_OZ" <[email protected]>

| Until tonight anyway.
|
| activexmediasource.com
|

Thanx. That's a new one.

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: http://www.estdomains.com

Domain Name: ACTIVEXMEDIASOURCE.COM

Registrant:
vl ltd
Von Linstow ([email protected])
Dalbergsgade 7
Viborg
null,8800
DK
Tel. +045.26881927

Creation Date: 17-Jan-2007
Expiration Date: 17-Jan-2008



So is this one...


Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: http://www.estdomains.com

Domain Name: VIDEOACTIVEXSOFTWARE.COM

Registrant:
AXV
Ase Traving ([email protected])
Figenvej 125
Nustved
null,4700
DK
Tel. +045.26468496

Creation Date: 17-Jan-2007
Expiration Date: 17-Jan-2008



videoactivexsoftware.com

Complete scanning result of "setupvax.exe", processed in VirusTotal at 01/20/2007 05:11:22
(CET).

[ file data ]
* name: setupvax.exe
* size: 60720
* md5.: 759b8fb8b9f0ede2f0689b7eec750a68
* sha1: ba9bd46ccefe625080eff11994c8805a93753f46

[ scan result ]
AntiVir 7.3.0.26/20070120 found [DR/Zlob.Gen]
BitDefender 7.2/20070120 found [Trojan.Zlob.IN]
eSafe 7.0.14.0/20070120 found [suspicious Trojan/Worm]
Fortinet 2.82.0.0/20070119 found [suspicious]
Prevx1 V2/20070120 found [Malicious]

[ notes ]
packers: UPX
packers: UPX, BINARYRES, BINARYRES
packers: UPX
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=bca071748737


Right now there are MORE DNSChanger sites than ZLob installer sites. All owned by the same
group and all registered through ESTDOMAINS INC

NOTE: The email addresses of the registered owners of the sites point to OTHER sites as
well.

I have quite an extensive list of both active and closed sites. Email me and I'll provide
it to you. I don't want to post it publicly.

 

[Art]

Complete scanning result of "setupvax.exe", processed in VirusTotal at 01/20/2007 05:11:22
(CET).

[ file data ]
* name: setupvax.exe
* size: 60720
* md5.: 759b8fb8b9f0ede2f0689b7eec750a68
* sha1: ba9bd46ccefe625080eff11994c8805a93753f46

[ scan result ]
AntiVir 7.3.0.26/20070120 found [DR/Zlob.Gen]
BitDefender 7.2/20070120 found [Trojan.Zlob.IN]
eSafe 7.0.14.0/20070120 found [suspicious Trojan/Worm]
Fortinet 2.82.0.0/20070119 found [suspicious]
Prevx1 V2/20070120 found [Malicious]

[ notes ]
packers: UPX
packers: UPX, BINARYRES, BINARYRES
packers: UPX
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=bca071748737

Here's a vt result on the file that's now up there:
******************************************
Complete scanning result of "setupmedia.1645.exe", received in
VirusTotal at 01.20.2007, 12:07:54 (CET).

Antivirus Version Update Result
AntiVir 7.3.0.26 01.20.2007 DR/Zlob.Gen
Authentium 4.93.8 01.20.2007 no virus found
Avast 4.7.936.0 01.18.2007 no virus found
AVG 386 01.19.2007 no virus found
BitDefender 7.2 01.20.2007 no virus found
CAT-QuickHeal 9.00 01.20.2007 no virus found
ClamAV devel-20060426 01.20.2007 no virus found
DrWeb 4.33 01.20.2007 no virus found
eSafe 7.0.14.0 01.20.2007 suspicious Trojan/Worm
eTrust-InoculateIT 23.73.118 01.20.2007 no virus found
eTrust-Vet 30.3.3336 01.19.2007 no virus found
Ewido 4.0 01.19.2007 no virus found
Fortinet 2.82.0.0 01.20.2007 suspicious
F-Prot 3.16f 01.20.2007 no virus found
F-Prot4 4.2.1.29 01.19.2007 no virus found
Ikarus T3.1.0.27 01.09.2007 no virus found
Kaspersky 4.0.2.24 01.20.2007 no virus found
McAfee 4943 01.19.2007 no virus found
Microsoft 1.1904 01.20.2007 no virus found
NOD32v2 1992 01.20.2007 no virus found
Norman 5.80.02 01.19.2007 no virus found
Panda 9.0.0.4 01.20.2007 no virus found
Prevx1 V2 01.20.2007 no virus found
Sophos 4.13.0 01.20.2007 no virus found
Sunbelt 2.2.907.0 01.12.2007 no virus found
TheHacker 6.0.3.151 01.19.2007 no virus found
UNA 1.83 01.19.2007 no virus found
VBA32 3.11.2 01.19.2007 no virus found
VirusBuster 4.3.19:9 01.20.2007 no virus found

Aditional Information
File size: 60745 bytes
MD5: a4641aea1f9e2e0e46ecaae7abaa801c
SHA1: 911d642c1c0d9d21ae872361d71e497c9b33b947
packers: UPX
packers: UPX, BINARYRES, BINARYRES
packers: UPX
******************************
Looks like another case of musical chairs. Note it's now a different
file and Bit Defender doesn't alert.

Art
http://home.epix.net/~artnpeg

 

[David H. Lipman]

From: "Art" <[email protected]>

| On Sat, 20 Jan 2007 04:32:58 GMT, "David H. Lipman"

Complete scanning result of "setupvax.exe", processed in VirusTotal at 01/20/2007
05:11:22 (CET).

[ file data ]
* name: setupvax.exe
* size: 60720
* md5.: 759b8fb8b9f0ede2f0689b7eec750a68
* sha1: ba9bd46ccefe625080eff11994c8805a93753f46

[ scan result ]
AntiVir 7.3.0.26/20070120 found [DR/Zlob.Gen]
BitDefender 7.2/20070120 found [Trojan.Zlob.IN]
eSafe 7.0.14.0/20070120 found [suspicious Trojan/Worm]
Fortinet 2.82.0.0/20070119 found [suspicious]
Prevx1 V2/20070120 found [Malicious]

[ notes ]
packers: UPX
packers: UPX, BINARYRES, BINARYRES
packers: UPX
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=bca071748737

|
| Here's a vt result on the file that's now up there:
| ******************************************
| Complete scanning result of "setupmedia.1645.exe", received in
| VirusTotal at 01.20.2007, 12:07:54 (CET).
|
| Antivirus Version Update Result
| AntiVir 7.3.0.26 01.20.2007 DR/Zlob.Gen
| Authentium 4.93.8 01.20.2007 no virus found
| Avast 4.7.936.0 01.18.2007 no virus found
| AVG 386 01.19.2007 no virus found
| BitDefender 7.2 01.20.2007 no virus found
| CAT-QuickHeal 9.00 01.20.2007 no virus found
| ClamAV devel-20060426 01.20.2007 no virus found
| DrWeb 4.33 01.20.2007 no virus found
| eSafe 7.0.14.0 01.20.2007 suspicious Trojan/Worm
| eTrust-InoculateIT 23.73.118 01.20.2007 no virus found
| eTrust-Vet 30.3.3336 01.19.2007 no virus found
| Ewido 4.0 01.19.2007 no virus found
| Fortinet 2.82.0.0 01.20.2007 suspicious
| F-Prot 3.16f 01.20.2007 no virus found
| F-Prot4 4.2.1.29 01.19.2007 no virus found
| Ikarus T3.1.0.27 01.09.2007 no virus found
| Kaspersky 4.0.2.24 01.20.2007 no virus found
| McAfee 4943 01.19.2007 no virus found
| Microsoft 1.1904 01.20.2007 no virus found
| NOD32v2 1992 01.20.2007 no virus found
| Norman 5.80.02 01.19.2007 no virus found
| Panda 9.0.0.4 01.20.2007 no virus found
| Prevx1 V2 01.20.2007 no virus found
| Sophos 4.13.0 01.20.2007 no virus found
| Sunbelt 2.2.907.0 01.12.2007 no virus found
| TheHacker 6.0.3.151 01.19.2007 no virus found
| UNA 1.83 01.19.2007 no virus found
| VBA32 3.11.2 01.19.2007 no virus found
| VirusBuster 4.3.19:9 01.20.2007 no virus found
|
| Aditional Information
| File size: 60745 bytes
| MD5: a4641aea1f9e2e0e46ecaae7abaa801c
| SHA1: 911d642c1c0d9d21ae872361d71e497c9b33b947
| packers: UPX
| packers: UPX, BINARYRES, BINARYRES
| packers: UPX
| ******************************
| Looks like another case of musical chairs. Note it's now a different
| file and Bit Defender doesn't alert.
|
| Art
| http://home.epix.net/~artnpeg


That's been the motive of these guys. They are generating new ZLob variants on an almost
daily basis. They are creating new web sites all the time. It is hard keeping up with them
!

 

[Gabriele Neukam]

Until tonight anyway.

hxxp://xxx.activexmediasource.com/download/setupmedia.1645.exe

I don't know, if they are from the same source, but there is some
similar spam targeting German recipients, too.

http://www.heise.de/bilder/84000/0/1

If you click on one of the XXX-rated pictures on the page, in order to
see the video, a popup asks you to install a DivX plugin and a Flash
plugin, both of which are not recognized by most AV scanners.

http://www.heise.de/bilder/84000/1/1
http://www.heise.de/bilder/84000/2/1


Gabriele Neukam

(e-mail address removed)

 

[Duh_OZ]

I don't know, if they are from the same source, but there is some
similar spam targeting German recipients, too.

http://www.heise.de/bilder/84000/0/1

If you click on one of the XXX-rated pictures on the page, in order to
see the video, a popup asks you to install a DivX plugin and a Flash
plugin, both of which are not recognized by most AV scanners.

http://www.heise.de/bilder/84000/1/1
http://www.heise.de/bilder/84000/2/1

Got the link off rec.gambling.poker and see the one you mention was out
there also (posted yesterday). Tried the three (the two DivX and the
one flash) files and just VBA "flagged it".

 

[Ant]

packers: UPX, BINARYRES, BINARYRES

What is this BINARYRES packer? I can't find any description of it --
the only hits are from Virustotal scans.

Perhaps it's not an exe packer, but just indicates unusual resource
blocks in the file.

 

[David H. Lipman]

From: "Ant" <[email protected]>

| "David H. Lipman" wrote:
||
| What is this BINARYRES packer? I can't find any description of it --
| the only hits are from Virustotal scans.
|
| Perhaps it's not an exe packer, but just indicates unusual resource
| blocks in the file.
|

Good question. I'll ask around.

 

[David H. Lipman]

From: "Ant" <[email protected]>


| What is this BINARYRES packer? I can't find any description of it --
| the only hits are from Virustotal scans.

| Perhaps it's not an exe packer, but just indicates unusual resource
| blocks in the file.


This is what I got back...

"Usually binaryes means it contains embedded file(s)"

and...

"DrWeb is using the term BINARYRES ...for Embeded files... in general, for every exe or
dll that contains other files."

 

[Ant]

From: "Ant" <[email protected]>
| What is this BINARYRES packer? I can't find any description of it --
| the only hits are from Virustotal scans.

This is what I got back...

"Usually binaryes means it contains embedded file(s)"

and...

"DrWeb is using the term BINARYRES ...for Embeded files... in general,
for every exe or dll that contains other files."

Thanks. I suspected it wasn't the name of a particular packer.