Zlob Trojan - Newbie on group - Help please!

[pOTRice]

Sorry if this was dealt with recently but this is my first look at
this group.

Running WIn2000 on an Althlon 2000+
Free ZoneAlarm and AVG *Pro*

First symptom - ZoneAlarm squeeked about dfrgsrv.exe trying to go out
on the internet.
What's dfrgsvr I wondered - "svr" sounds dangerous (Defrag Server?)
I denied the access.
I found the file dfrgsvr.exe sitting in C:\WINNT\system32.
Ran Micro$oft AntiSpyware Beta 1 - it found Zlob indicated by a
Registry key
. .\Explorer\Run wininet.dll triggering (guess what?)
dfrgsvr.exe at startup.
This matches Micro$oft's notes about Zlob on their site.

No problem I thought - just let AntiSpy remove the key.
Too easy - in fact every attempt at even manually removing it fails -
it seems to be 'self-repairing'
The dfrgsvr.exe cannot be renamed or deleted - sharing violation -
presumable because it's running.
A request to AntiSpy to 'block' this item at start up is apparently
accepted and it shows an entry in its list as "blocked" but another
'live' entry reappears!

Running the latest Micro$oft Malware Removal Tool does *not* find it.

Run out of ideas!

Anybody killed this successfully?

 

[David H. Lipman]

From: "pOTRice" <[email protected]>

| Sorry if this was dealt with recently but this is my first look at
| this group.
|
| Running WIn2000 on an Althlon 2000+
| Free ZoneAlarm and AVG *Pro*
|
| First symptom - ZoneAlarm squeeked about dfrgsrv.exe trying to go out
| on the internet.
| What's dfrgsvr I wondered - "svr" sounds dangerous (Defrag Server?)
| I denied the access.
| I found the file dfrgsvr.exe sitting in C:\WINNT\system32.
| Ran Micro$oft AntiSpyware Beta 1 - it found Zlob indicated by a
| Registry key
| . .\Explorer\Run wininet.dll triggering (guess what?)
| dfrgsvr.exe at startup.
| This matches Micro$oft's notes about Zlob on their site.
|
| No problem I thought - just let AntiSpy remove the key.
| Too easy - in fact every attempt at even manually removing it fails -
| it seems to be 'self-repairing'
| The dfrgsvr.exe cannot be renamed or deleted - sharing violation -
| presumable because it's running.
| A request to AntiSpy to 'block' this item at start up is apparently
| accepted and it shows an entry in its list as "blocked" but another
| 'live' entry reappears!
|
| Running the latest Micro$oft Malware Removal Tool does *not* find it.
|
| Run out of ideas!
|
| Anybody killed this successfully?



Two part reply..

Perform Part 1 then perform Part 2.

If the first two parts don't work, perform the alternate utility.

It is suggested that you execute each tool in Normal Mode then in Safe Mode.

If you are using any version of Sun Java that is prior to JRE Version 5.0,
then you are strongly urged to remove any/all versions that are prior to JRE
Version 5.0. There are vulnerabilities in them and they are actively being exploited.

Therefore, it is highly suggested that if there are any prior versions of Sun Java
to Version 5 on the PC that they be removed and Sun Java JRE Version 5.0 Update 6
be installed ASAP.

http://www.java.com/en/download/manual.jsp



Part 1
-----------

Use noahdfear's SmitFraud, SpyAxe, SpyFalcon, et. al., removal tool -- SmitRem.exe
http://noahdfear.geekstogo.com/click counter/click.php?id=1

http://www.bleepingcomputer.com/forums/topic43659.html


Part 2
-----------

Download SmitFraud.exe from the URL --
http://www.ik-cs.com/programs/virtools/SmitFraud.exe

Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.

Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\Normal_ScanReport.HTML or
C:\mcafee\Safe_ScanReport.HTML will be generated. At the end of the scan, it will be
displayed in your browser (Opera, FireFox or Internet Explorer). However, if you are using
WinXP, Win2K or Win2003 your system will be left in a state where you will have to manually
shutdown/reboot the PC. On Win9x/ME platforms the report will not be shown in your bowser
but your PC will automatically be shutdown. It is suggested that you move the report out of
c:\mcafee before performing another scan.

It would be best to scan in both Safe Mode and in Normal Mode and save a copy of the HTML
report for each session.


ALTERNATE:

Secured2K's SpyAxe, PSGuard, Smitfraud, Sinnaka and Alemod removal tool.

http://secured2k.home.comcast.net/tools/AntiPuper.exe

http://forums.mcafeehelp.com/viewtopic.php?t=65072




Please Copy and Paste the contents of the HTML Log files;
C:\mcafee\Normal_ScanReport.HTML & C:\mcafee\Safe_ScanReport.HTML in your reply.

* * * Please report back your results * * *

 

[pOTRice]

Many thanks for your comprehensive reply.
I will not have a chance to execute it till tomorrow.

I hope I'm right in thinking that, as long as ZoneAlarm blocks it
going out, it can't do any real harm.

 

[David H. Lipman]

From: "pOTRice" <[email protected]>

| Many thanks for your comprehensive reply.
| I will not have a chance to execute it till tomorrow.
|
| I hope I'm right in thinking that, as long as ZoneAlarm blocks it
| going out, it can't do any real harm.
|

It depends on your definition but the FireWall is blocking any aspects of sending data
"home" or to 3rd parties.

 

[pOTRice]

I've had a go . .

Ghosted the partition onto another drive (I use removable caddies) and
tinkered with the copy.

Tried SmitRem.exe didn't seem to do any good.
Started Disc clean up but got impatient.

What the hell! - it's only a copy - Ran up in Safe mode - *deleted*
dfrgsrv.exe.
Ran up MS AntiSpyware - asked it to delete the 'Run' Registry entry -
it did!
Checked again with Regedit - yes it had gone.

Ran up again in Normal mode - seems OK.

Only negative impact so far is my Desktop icons are nicely arranged in
the top right hand corner of screen - I can live with that.

Am I kidding myself?
Is it really much more complicated than that?

I will be keeping a careful eye on each re-boot in future (not very
often - stays on for weeks)

Many thanks David for your quick response and effort you put in to
help me - much appreciated.

Now to fix the *real* disk . .

 

[pOTRice]

More info - I've been trying to figure out how I got this malware -
realised that the only thing that I had added knowingly recently was
this . .

http://www.media-codec.com/v4/mediacodec-v4.143.exe

I found the path still in the recently accessed (dropdown list in IE)

I still had the actual EXE (I always save them)

I executed this again (on my copy system) and, lo and behold, it set
up the Registry key and put back dfrgsrv.exe again!

AVG didn't notice it originally - nor even when I asked it to
specifically scan the codec EXE.

I am wondering about my previously stated faith in the power of
ZoneAlarm.
Would the malware have tried to phone home in the guise of Explorer
since the Reg Key was associated with that? If so, I might have
allowed it!

 

[David H. Lipman]

From: "pOTRice" <[email protected]>

| More info - I've been trying to figure out how I got this malware -
| realised that the only thing that I had added knowingly recently was
| this . .

| http://www.media-codec.com/v4/mediacodec-v4.143.exe

| I found the path still in the recently accessed (dropdown list in IE)

| I still had the actual EXE (I always save them)

| I executed this again (on my copy system) and, lo and behold, it set
| up the Registry key and put back dfrgsrv.exe again!

| AVG didn't notice it originally - nor even when I asked it to
| specifically scan the codec EXE.

| I am wondering about my previously stated faith in the power of
| ZoneAlarm.
| Would the malware have tried to phone home in the guise of Explorer
| since the Reg Key was associated with that? If so, I might have
| allowed it!


Yes, these utilities need to clean the LIVE PC to access both the disk files and
the Registry of the affected OS.

What you posted, "mediacodec-v4.143.exe", was another in a series new variants of
the Zlob Trojan.
Kaspersky 4.0.2.24 04.14.2006 Trojan-Downloader.Win32.Zlob.li

 

[David H. Lipman]

From: "pOTRice" <[email protected]>

| More info - I've been trying to figure out how I got this malware -
| realised that the only thing that I had added knowingly recently was
| this . .

< snip >

BTW: In the future please obfuscate the URL of a malicious web site such that
newbies will not click on the URL and get infected.

For Example; hxxp://www.media-codec.com/v4/mediacodec-v4.143.exe

 

[pOTRice]

Sorry to be a pain - I found your comment about "LIVE pc" a bit
ambiguous . .

Have I done all that is needed to rid my PC of Zlob (removing Reg
entry and the EXE it triggers) or do I still need to run the
procedures you recommended?

Thanks for your tip about obfuscating the URL - I'm so paranoid about
my own safety I forgot about the danger I might cause to others.

 

[David H. Lipman]

From: "pOTRice" <[email protected]>

| Sorry to be a pain - I found your comment about "LIVE pc" a bit
| ambiguous . .
|
| Have I done all that is needed to rid my PC of Zlob (removing Reg
| entry and the EXE it triggers) or do I still need to run the
| procedures you recommended?
|
| Thanks for your tip about obfuscating the URL - I'm so paranoid about
| my own safety I forgot about the danger I might cause to others.
|

What I mean by a live PC is booting ther affected PC and then running the utilities on that
PC.
Basically, running the PC "live".

 

[Virus Guy]

What you posted, "mediacodec-v4.143.exe", was another in a series
new variants of the Zlob Trojan.
Kaspersky 4.0.2.24 04.14.2006 Trojan-Downloader.Win32.Zlob.li

I uploaded that file to virustotal - but VT has been acting funny
lately (for me anyways). After upload, I got a window telling me it
would send the results via e-mail. To hell with that. What's up with
VT these days?

I then uploaded it to jotti, where NOTHING was found across the board,
including Kaspersky.

Jotti does give a nice bit of info about the packers that are used
(UPX, PE_PATCH, UPACK in this case) and based on that it does declare
the file as suspicious (that, and the fact that sandbox emulation took
a long time).

 

[David H. Lipman]

From: "Virus Guy" <[email protected]>


|
| I uploaded that file to virustotal - but VT has been acting funny
| lately (for me anyways). After upload, I got a window telling me it
| would send the results via e-mail. To hell with that. What's up with
| VT these days?
|
| I then uploaded it to jotti, where NOTHING was found across the board,
| including Kaspersky.
|
| Jotti does give a nice bit of info about the packers that are used
| (UPX, PE_PATCH, UPACK in this case) and based on that it does declare
| the file as suspicious (that, and the fact that sandbox emulation took
| a long time).

Yeah, I had problems with the regular web page. However the Beta version of the new web
page works fine but the address is not for public consumption. As an alternate...
You can also submit a suspect, one at a time, via the following email URL...
mailto:[email protected]?subject=SCAN


DrWeb 4.33 04.14.2006 Trojan.Favadd
Fortinet 2.71.0.0 04.14.2006 suspicious
Ikarus 0.2.59.0 04.14.2006 Trojan.Favadd
Kaspersky 4.0.2.24 04.14.2006 Trojan-Downloader.Win32.Zlob.li
NOD32v2 1.1489 04.14.2006 Win32/TrojanDownloader.Zlob.LI
Panda 9.0.0.4 04.14.2006 Suspicious file

 

[Virus Guy]

Yeah, I had problems with the regular web page. However the Beta
version of the new web page works fine but the address is not for
public consumption. As an alternate...

Ok.

I just unpacked mediacodec-v4.143.exe with upx. Original was
something like 70kb. Unpacked version is 83,232 bytes.

Looking at the file, it is using the Nullsoft installer (Nullsoft
Install System v2.16). Doesn't seem to be any "unpacker" for that
type of archive. Lots of internal references to "Thawte"
certificates, as well as a reference to "www.media-codec.com" and
"www.kas.net.au".

I went back to VT and submitted the unpacked version. I got the "AV
scanning has stopped, but we'll send you the results via e-mail so
enter your e-mail address here". I entered an address and hit "ok"
(or what-ever). I immediately got the usual scan-results display
page(?!).

Again, nothing found across the board. Only Fortinet said
"suspicious".

Why am I seeing nothing, but you're seeing Zlob for this file?

 

[David H. Lipman]

From: "Virus Guy" <[email protected]>


|
| Ok.
|
| I just unpacked mediacodec-v4.143.exe with upx. Original was
| something like 70kb. Unpacked version is 83,232 bytes.
|
| Looking at the file, it is using the Nullsoft installer (Nullsoft
| Install System v2.16). Doesn't seem to be any "unpacker" for that
| type of archive. Lots of internal references to "Thawte"
| certificates, as well as a reference to "www.media-codec.com" and
| "www.kas.net.au".
|
| I went back to VT and submitted the unpacked version. I got the "AV
| scanning has stopped, but we'll send you the results via e-mail so
| enter your e-mail address here". I entered an address and hit "ok"
| (or what-ever). I immediately got the usual scan-results display
| page(?!).
|
| Again, nothing found across the board. Only Fortinet said
| "suspicious".
|
| Why am I seeing nothing, but you're seeing Zlob for this file?

I don't know. However I know that this use of so-called CODECS is the recent ploy to get
people infected with the ZLob Trojan which will in turn get the SmitFraud Trojan family
installed; SpyAxe, SpyStriker, SpywareQuake, etc.

Many new variants are being deployed on a regular bassis.

 

[pOTRice]

I have now carried out the procedures you recommended and here is the
report . .

Virus Scan Report File

--------------------------------------------------------------------------------
Virus Scan Information
--------------------------------------------------------------------------------

McAfee VirusScan for Win32 v4.40.0
Copyright (c) 1992-2004 Networks Associates Technology Inc. All rights
reserved.
(408) 988-3832 LICENSED COPY - Sep 23 2004

Scan engine v4.4.00 for Win32.
Virus data file v4741 created Apr 14 2006
Scanning for 186744 viruses, trojans and variants.

--------------------------------------------------------------------------------
Virus Scan Results
--------------------------------------------------------------------------------

04/14/2006 23:30:59

Options:
/ADL /UNZIP /WINMEM /SUB /ANALYZE /PANALYZE /STREAMS /CLEAN /ALL /DEL
/PROGRAM /EXCLUDE C:\MCAFEE\EXCLIST.TXT /HTML
C:\MCAFEE\NORMAL_SCANREPORT.HTML

Scanning C: [Main]
Scanning C:\*.*
C:\Documents and Settings\Administrator\My Documents\Installers\USB
under DOS\LeakTest.exe ... Found potentially unwanted program
LeakTest.
The file or process has been deleted.
C:\Documents and Settings\Administrator\My Documents\Installers\USB
under DOS\xpkeys.zip\KEYFIND.EXE\OFFICEKEY.EXE ... Found potentially
unwanted program Generic PUP.a.
C:\Documents and Settings\Administrator\My Documents\Installers\USB
under DOS\zerocmos.zip\KILLCMOS.COM ... Found the KillCMOS.a trojan
!!!
C:\Documents and Settings\Administrator\My Documents\Installers\USB
under DOS\zerocmos.zip\DUMPCMOS.COM ... Found potentially unwanted
program KillCMOS.h.

Summary report on C:\*.*
File(s)
Total files: ........... 55422
Clean: ................. 55151
Possibly Infected: ..... 1
Cleaned: ............... 0
Deleted: ............... 1
Non-critical Error(s): 2
Master Boot Record(s): ......... 1
Possibly Infected: ..... 0
Boot Sector(s): ................ 1
Possibly Infected: ..... 0
Scanning D: [BACKUP]
Scanning D:\*.*
D:\060205_256A\LeakTest.exe ... Found potentially unwanted program
LeakTest.
The file or process has been deleted.

Summary report on D:\*.*
File(s)
Total files: ........... 4544
Clean: ................. 4538
Possibly Infected: ..... 0
Cleaned: ............... 0
Deleted: ............... 1
Non-critical Error(s): 1
Master Boot Record(s): ......... 1
Possibly Infected: ..... 0
Boot Sector(s): ................ 1
Possibly Infected: ..... 0


Time: 00:31.49

I was disappointed that this did not result in the deletion of the
offending EXE - dfrgsrv. However, it did get rid of the Registry key.

I noticed that it deleted LeakTest which I would have thought should
have been recognised as the well known firewall test program from
the "Shields Up" site.

Is this another example of rivalry between the various Anti-Virus tool
writers? I remember that Norton insisted that my AVG Pro-protected PC
had no existing virus protection!

Anyway - panic over - many thanks for all your help - I'll be more
carefull next time. It's almost got to the point where you need a
'clone' PC to experiment with before risking the security of your
'real' PC.

pOTRice

 

[YoKenny]

I have now carried out the procedures you recommended and here is the
report . .

Virus Scan Report File
--------------------------------------------------------------------------------

Scanning C: [Main]
Scanning C:\*.*
C:\Documents and Settings\Administrator\My Documents\Installers\USB
under DOS\LeakTest.exe ... Found potentially unwanted program
LeakTest.
The file or process has been deleted.
Scanning D: [BACKUP]
Scanning D:\*.*
D:\060205_256A\LeakTest.exe ... Found potentially unwanted program
LeakTest.
The file or process has been deleted.

I was disappointed that this did not result in the deletion of the
offending EXE - dfrgsrv. However, it did get rid of the Registry key.

I noticed that it deleted LeakTest which I would have thought should
have been recognised as the well known firewall test program from
the "Shields Up" site.

Is this another example of rivalry between the various Anti-Virus tool
writers? I remember that Norton insisted that my AVG Pro-protected PC
had no existing virus protection!

Anyway - panic over - many thanks for all your help - I'll be more
carefull next time. It's almost got to the point where you need a
'clone' PC to experiment with before risking the security of your
'real' PC.

pOTRice, this was discussed a lot over on the news.grc.com newsserver in
grc.leaktest a while back.
I believe Steve Gibson was going to release an updated version of Leaktest
to prevent this situation.

 

[David H. Lipman]

From: "pOTRice" <[email protected]>

| I have now carried out the procedures you recommended and here is the
| report . .
|
| Virus Scan Report File
|
| --------------------------------------------------------------------------------
| Virus Scan Information

< snip >

|
| I was disappointed that this did not result in the deletion of the
| offending EXE - dfrgsrv. However, it did get rid of the Registry key.
|
| I noticed that it deleted LeakTest which I would have thought should
| have been recognised as the well known firewall test program from
| the "Shields Up" site.
|
| Is this another example of rivalry between the various Anti-Virus tool
| writers? I remember that Norton insisted that my AVG Pro-protected PC
| had no existing virus protection!
|
| Anyway - panic over - many thanks for all your help - I'll be more
| carefull next time. It's almost got to the point where you need a
| 'clone' PC to experiment with before risking the security of your
| 'real' PC.
|
| pOTRice
|


The important think is if you are still infected with the ZLob Trojan and its friends and
famility components ?

As for the LeakTest utility... The McAfee AV scanner is set to a very aggressive scanning
mode to catch not only known viruses and Trojans but to catch non-viral malware and
"potentially
unwanted program" which could be adware/spyware or could be tools that can be used in a
malicious way. Some malware use legitimate tools to do malicious actions. It is best to
scan a remove malware and those that are not malware but can be used in a malicious way.
This way you can know that you are "clean".

As for the "clone" cocept, yes, that's a good idea.