FYI: Sunbelt has been added to VirusTotal

[David H. Lipman]

Complete scanning result of "cr-bd90e.exe", processed in VirusTotal at 12/02/2006 16:06:38
(CET).

[ file data ]
* name: cr-bd90e.exe
* size: 218226
* md5.: a44286794fe483beeb8200ba6e986fac
* sha1: d744d1fbb4fd2318199c64af85f7fdcb9c20bc63

[ scan result ]
AntiVir 7.2.0.46/20061202 found nothing
Authentium 4.93.8/20061201 found nothing
Avast 4.7.892.0/20061201 found nothing
AVG 386/20061202 found nothing
BitDefender 7.2/20061202 found [Trojan.Downloader.Zlob.LD]
CAT-QuickHeal 8.00/20061202 found nothing
ClamAV devel-20060426/20061201 found nothing
DrWeb 4.33/20061202 found nothing
eSafe 7.0.14.0/20061130 found [Suspicious Trojan/Worm]
eTrust-InoculateIT 23.73.74/20061202 found nothing
eTrust-Vet 30.3.3225/20061201 found nothing
Ewido 4.0/20061202 found nothing
F-Prot 3.16f/20061201 found nothing
F-Prot4 4.2.1.29/20061201 found nothing
Fortinet 2.82.0.0/20061202 found [suspicious]
Ikarus 0.2.65.0/20061201 found nothing
Kaspersky 4.0.2.24/20061202 found nothing
McAfee 4909/20061201 found nothing
Microsoft 1.1804/20061202 found nothing
NOD32v2 1897/20061202 found nothing
Norman 5.80.02/20061201 found nothing
Panda 9.0.0.4/20061202 found [Suspicious file]
Prevx1 V2/20061202 found nothing
Sophos 4.12.0/20061202 found nothing
Sunbelt 2.2.907.0/20061130 found [VIPRE.Suspicious]
TheHacker 6.0.3.127/20061201 found [Aplicacion/Riskware.Tool.SysModify]
UNA 1.83/20061201 found [TrojanDownloader.Win32.Zlob.5643]
VBA32 3.11.1/20061201 found nothing
VirusBuster 4.3.15:9/20061201 found nothing

[ notes ]
packers: UPX
packers: UPX, PECOMPACT, UPACK, BINARYRES
packers: UPX, ZIP, PecBundle, PECompact, UPack
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed
suspicious through heuristics.

 

[Virus Guy]

Complete scanning result of "cr-bd90e.exe", processed in
VirusTotal at 12/02/2006 16:06:38

So I do a search for cr-bd90e and find this:

http://www.binsearch.info/?server=&...image.french&[email protected]+(Coza+Kamine)

I believe that what is happening on that web site is that you select
which file you want in the check-box on the left of the file, and the
file is posted to

alt.binaries.cd.image.french

and

alt.binaries.warez.quebec-hackers

Kool. I didn't know there was such a service.

Anyone with access to those groups can check and see if posts with the
following subject turns up in those groups:

Coza Pour Tazman
(BitDefender.Internet.Security.v10.0.Incl.Keymaker-CORE) [1/5] -
"cr-bd90e.zip" yEnc (1/21)

 

[David H. Lipman]

From: "Virus Guy" <[email protected]>


|
| So I do a search for cr-bd90e and find this:
|
|
http://www.binsearch.info/?server=&...image.french&[email protected]+(Coza+Kamine)
|
| I believe that what is happening on that web site is that you select
| which file you want in the check-box on the left of the file, and the
| file is posted to
|
| alt.binaries.cd.image.french
|
| and
|
| alt.binaries.warez.quebec-hackers
|
| Kool. I didn't know there was such a service.
|
| Anyone with access to those groups can check and see if posts with the
| following subject turns up in those groups:
|
| Coza Pour Tazman
| (BitDefender.Internet.Security.v10.0.Incl.Keymaker-CORE) [1/5] -
| &quot;cr-bd90e.zip&quot; yEnc (1/21)

The file was downloaded from a Warez web site associated with the same guys from the faux
CODEC download web sites.

 

[David H. Lipman]

From: "Virus Guy" <[email protected]>


|
| So I do a search for cr-bd90e and find this:
|
< snip >

Here's another one, Need.For.Speed.Carbon.GENERIC_KEYGEN-FFF.exe , from the same web site...

Complete scanning result of "Need.For.Speed.Carbon.GENERIC_KEYGEN-FFF.exe", processed in
VirusTotal at 12/02/2006 17:51:58 (CET).

[ file data ]
* name: Need.For.Speed.Carbon.GENERIC_KEYGEN-FFF.exe
* size: 235748
* md5.: c223bfaece594a8b39bdb5e32d237ecd
* sha1: daad9736552fa42bb32ab27469947f20ded6dd8a

[ scan result ]
AntiVir 7.2.0.46/20061202 found nothing
Authentium 4.93.8/20061201 found [W32/Zlob.XC]
Avast 4.7.892.0/20061201 found nothing
AVG 386/20061202 found [Downloader.Zlob.DO]
BitDefender 7.2/20061202 found [Trojan.Downloader.Zlob.AUQ]
CAT-QuickHeal 8.00/20061202 found nothing
ClamAV devel-20060426/20061201 found nothing
DrWeb 4.33/20061202 found nothing
eSafe 7.0.14.0/20061130 found [Win32.Win32.Zlob.auq]
eTrust-InoculateIT 23.73.74/20061202 found nothing
eTrust-Vet 30.3.3225/20061201 found nothing
Ewido 4.0/20061202 found nothing
F-Prot 3.16f/20061201 found [security risk named W32/Zlob.XC]
F-Prot4 4.2.1.29/20061201 found [W32/Zlob.XC]
Fortinet 2.82.0.0/20061202 found [W32/Zlob.AUQ!tr.dldr]
Ikarus 0.2.65.0/20061201 found [Trojan-Downloader.Win32.Zlob.auq]
Kaspersky 4.0.2.24/20061202 found [Trojan-Downloader.Win32.Zlob.auq]
McAfee 4909/20061201 found nothing
Microsoft 1.1804/20061202 found [TrojanDownloader:Win32/Zlob!6E96]
NOD32v2 1897/20061202 found [Win32/TrojanDownloader.Zlob]
Norman 5.80.02/20061201 found nothing
Panda 9.0.0.4/20061202 found [Adware/iVideoCodec]
Prevx1 V2/20061202 found nothing
Sophos 4.12.0/20061202 found [Troj/Dloadr-APP]
Sunbelt 2.2.907.0/20061130 found [Trojan-Downloader.Zlob.Media-Codec]
TheHacker 6.0.3.127/20061201 found [Aplicacion/Riskware.Tool.SysModify]
UNA 1.83/20061201 found [TrojanDownloader.Win32.Zlob.5643]
VBA32 3.11.1/20061201 found nothing
VirusBuster 4.3.15:9/20061201 found [Trojan.DL.Zlob.APN]

[ notes ]
packers: UPX
packers: UPX, PECOMPACT, UPX, BINARYRES
packers: UPX, ZIP, PecBundle, PECompact
Sunbelt info: Trojan-Downloader.Zlob.Media-Codec is a program that typically purports to be
a needed upgrade to Windows Media Player in order to view adult oriented videos on certain
websites. However, Trojan-Downloader.Zlob.Media-Codec actually downloads and installs
additional malware on the user's machine.