Re: Different packing = different scan results (remember Zlob posts?)

From: "Virus Guy" <Virus@xxxxxxx>

|
| The file in question was located here:
|
| http://www.media-codec.com /v4 /mediacodec-v4.143.exe
|
| It is still available at that location.
|
| The file is 71,456 bytes, and is UPX packed. It has a digital
| signature of "KAS NET" according to the file properties.
|
| When unpacked with UPX: http://upx.sourceforge.net, the resulting file
| is 83,232 bytes and has no digital signature attribute. Previous
| scanning by Jotti had indicated that this file was packed with
| PE_PATCH and UPACK.
|
| In any case, I submitted both the original file (71kb) and the
| UPX-unpacked version (83kb) to the now-working Virus Total website.
|
| The following AV software found nothing in both files:
|
| Avast, AVG, Cat, Clam, DrWeb, E-trust Inoculate, E-trust-vet, Ewido
| F-prot, McAfee, Norman, Sophos, Symantec, TheHacker, UNA
|
| The following detected something ONLY in the original (packed) file:
|
| AntiVir: TR/Dldr.Zlob.HQ.1
| Avira: TR/Dldr.Zlob.HQ.1
| BitDefender: Trojan.Downloader.Zlob.HQ
| Ikarus: Trojan.Favadd
| Panda: Suspicious file
|
| The following detected the same thing in BOTH files:
|
| Fortinet: W32/Zlob.LJ!dldr
| Kaspersky: Trojan-Downloader.Win32.Zlob.lj
| NOD32v2: Win32/TrojanDownloader.Zlob.LD
| VBA32: Trojan-Downloader.Win32.Zlob.lj
|
| Note that there is no over-lap between the above 2 groups in the
| name/identifier used, but there is considerable similarity within the
| groups. For example AntiVir, Avira and BitDefender use the term
| "Zlob.HQ", while Fortinet, Kaspersky, and VBA32 use "Zlob.LJ".
|
| Conclusions:
|
| 1) Many hi-profile AV software is not detecting any threat in these
| files. Either they are deficient, or the files are clean and
| this is a false alarm.
|
| 2) The AV software that signaled a positive detection only in the
| first (packed) file but not the unpacked file must not have
| the ability to unpack PE_Patch and /or UPACK'd files, and the
| only thing that can account for their positive detection of the
| first file is that they are relying on MD5 (or equivalent) hash.

That site is auto-generating new variants of the ZLob Trojan on a regular and periodic
bassis.

A SpyBot technician had examined that site and wrote to me...

"i checked the site, and the samples are autogenerate like a cronjob (see the filedate). "

---<result>----
15.04.2006 01:18 71.376 mediacodec-v4.104.exe
15.04.2006 01:18 71.376 mediacodec-v4.105.exe
15.04.2006 01:18 71.376 mediacodec-v4.106.exe
15.04.2006 01:18 71.376 mediacodec-v4.107.exe
15.04.2006 01:18 71.376 mediacodec-v4.108.exe
15.04.2006 01:18 71.376 mediacodec-v4.109.exe
15.04.2006 01:18 71.376 mediacodec-v4.110.exe
15.04.2006 01:18 71.376 mediacodec-v4.111.exe
15.04.2006 01:18 71.376 mediacodec-v4.112.exe
15.04.2006 01:18 71.376 mediacodec-v4.113.exe
15.04.2006 01:19 71.376 mediacodec-v4.114.exe
15.04.2006 01:19 71.376 mediacodec-v4.115.exe
15.04.2006 01:19 71.376 mediacodec-v4.116.exe
15.04.2006 01:19 71.376 mediacodec-v4.117.exe
15.04.2006 01:19 71.376 mediacodec-v4.118.exe
15.04.2006 01:19 71.376 mediacodec-v4.119.exe
15.04.2006 01:19 71.376 mediacodec-v4.120.exe
15.04.2006 01:19 71.376 mediacodec-v4.121.exe
15.04.2006 01:19 71.376 mediacodec-v4.122.exe
15.04.2006 01:19 71.376 mediacodec-v4.123.exe
15.04.2006 01:19 71.376 mediacodec-v4.124.exe
15.04.2006 01:19 71.376 mediacodec-v4.125.exe
15.04.2006 01:19 71.376 mediacodec-v4.126.exe
15.04.2006 01:19 71.376 mediacodec-v4.127.exe
15.04.2006 01:19 71.376 mediacodec-v4.128.exe
15.04.2006 01:19 71.376 mediacodec-v4.129.exe
15.04.2006 01:19 71.376 mediacodec-v4.130.exe
15.04.2006 01:19 71.376 mediacodec-v4.131.exe
15.04.2006 01:19 71.376 mediacodec-v4.132.exe

< snip >

--<result md5>---
a0f2654035e785828dd43fe05c131b02 mediacodec-v4.104.exe
b144037dbf6003bca3c9514ac8c32108 mediacodec-v4.105.exe
c647cd66e383003061b509b50cc64b95 mediacodec-v4.106.exe
edc9a96f130df95ddae39e4fb0005f42 mediacodec-v4.107.exe
8a3d804f951716dbaa4ef195a870e1ae mediacodec-v4.108.exe
da0b16632851b54625638ec561ef2f15 mediacodec-v4.109.exe

< snip >


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


.

Relevant Pages

  • Different packing = different scan results (remember Zlob posts?)
    ... The AV software that signaled a positive detection only in the ... the ability to unpack PE_Patch and /or UPACK'd files, ... first file is that they are relying on MD5 hash. ...
    (alt.comp.anti-virus)
  • Re: Different packing = different scan results (remember Zlob posts?)
    ... Because their engines do UPX and/or generic decompression (if they do UPX ... malware so as to add detection to their product. ... the ability to unpack PE_Patch and /or UPACK'd files, ...
    (alt.comp.anti-virus)
  • Re: Pulsed drive of white LEDs?
    ... You correctly pointed out that it's only the line of sight between source and receiver that matters - well, ... Some care will still be needed to limit the angle of detection for two reasons. ...
    (sci.electronics.design)
  • Re: Kensington Runestone - Nielsen and Wolters.
    ... > Apart from the fact that the quoted text is very general in nature and ... > laboratory examination. ... but detection is problematical if no-one uses laboratory ...
    (sci.archaeology)
  • Re: Nasty propaganda by "security tool" providers
    ... then they have to be totally incompetent. ... only when you have confident that both codes have been run through their detection system. ... That's the world history or "life history" of the software. ...
    (comp.security.misc)