With Zlobs being around for a while

[Duh_OZ]

With Z's being around for a bit why do so many AV def's still miss
them? I have them checked out now and then VIA VirusTotal and never
had a great 'hit rate'

Latest:
Authentium 4.93.8 05.23.2007 W32/Downloader.BDTA
BitDefender 7.2 06.09.2007 Trojan.Zlob.BQE
F-Prot 4.3.2.48 06.08.2007 W32/Downloader.BDTA
Kaspersky 4.0.2.24 06.09.2007 Trojan-Downloader.Win32.Zlob.bqu

Just four - not even a 'suspicious' from the other vendors.

Just wondering.

BTW the file was downloaded from(broken into to lines for extra
safety) : hxxp://xxx.activexmediatour
..com/download.php?id=1752

 

[Virus Guy]

BTW the file was downloaded from:
hxxp://xxx.activexmediatour.com/download.php?id=1752

http://www.siteadvisor.com/sites/activexmediatour.com/postid?p=378373

Google turns up no hits at all pertaining to activexmediatour.com.

That domain was registered with ESTDOMAINS.

You might find this familliar:

http://tinyurl.com/3clua6

See also:

http://hostingfu.com/article/i-almost-signed-estdomains-reseller-account
http://www.aboutus.org/EstDomains.com

 

[David H. Lipman]

From: "Duh_OZ" <[email protected]>

| With Z's being around for a bit why do so many AV def's still miss
| them? I have them checked out now and then VIA VirusTotal and never
| had a great 'hit rate'
|
| Latest:
| Authentium 4.93.8 05.23.2007 W32/Downloader.BDTA
| BitDefender 7.2 06.09.2007 Trojan.Zlob.BQE
| F-Prot 4.3.2.48 06.08.2007 W32/Downloader.BDTA
| Kaspersky 4.0.2.24 06.09.2007 Trojan-Downloader.Win32.Zlob.bqu
|
| Just four - not even a 'suspicious' from the other vendors.
|
| Just wondering.
|
| BTW the file was downloaded from(broken into to lines for extra
| safety) : hxxp://xxx.activexmediatour
| .com/download.php?id=1752

Because they are being generated almost daily.

They morph all the time.

 

[Duh_OZ]

Because they are being generated almost daily.

They morph all the time.

Come to think of it I never did try submitting a Zlob that was at
least a few weeks old to see what was reported back. I have the
current one sitting on the old CPU (and password protected so I don't
accidentally try running it) and I'll send it off to VirusTotal in a
few weeks.

 

[David H. Lipman]

From: "Duh_OZ" <[email protected]>


| Come to think of it I never did try submitting a Zlob that was at
| least a few weeks old to see what was reported back. I have the
| current one sitting on the old CPU (and password protected so I don't
| accidentally try running it) and I'll send it off to VirusTotal in a
| few weeks.

Yeah, this is a NEW variant and a new site.

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: http://www.estdomains.com

Domain Name: ACTIVEXMEDIATOUR.COM

Registrant:
Privacyprotect.org
Domain Admin ([email protected])
PO Box 83-000
Johnsonville
All Postal Mails Rejected, visit Privacyprotect.org
Wellington
null,6440
NZ
Tel. +45.36946676

Creation Date: 06-Jun-2007
Expiration Date: 06-Jun-2008