something new that i can't find anywhere

[languy]

hey guys got a little problem, this morning as i turned my comp on, i get a warning from zonealarm that a program named voblaizdupla.exe wanted access to the internet, i said no of course and googled it, nothing came up. i used meta crawler and get one page and there have been other people that have gotten this warning too but no one knows what it is. i will do a scan with everything i have to see if i can catch it. does anyone know what this program is?

[languy]

well i found what it is, its a trojan, i put it through the free online scan from  Kaspersky in my system it sits in c\windows\system32\voblaizdupla.exe this is what the scanner said Scanned file:   voblaizdupla.exe - Infected
 
voblaizdupla.exe - infected by Trojan-Downloader.Win32.Small.ciw

 they just found out about it on 3/22/06 so basically today. i don't know how it got in, that's the problem i run avast all the time, and have not downloaded anything other them maybe some mp3 and things like that. well if anyone can help, it would be nice if a update appeared with avast that got it taken care of.

[Lisandro]

WinPatrol http://www.winpatrol.com/
What Process? http://www.what-process.com
Process Library http://www.processlibrary.com/

give nothing too... seems a new one, a trojan that generates random exe files...

You could add some info here:
http://www.what-process.com/add-process.aspx

[CharleyO]

***

We have had a virus database update today (0612-1) ... though I am not sure Avast will call this by the same name as Kaspersky. You can see the VPS for today (and other days) at the link below. The 0612-0 update had several Win32:Small updates but this may still be another version. Win32:Small.ciw is not listed that way if it is included.

http://www.avast.com/eng/vps_history.html

Have you had an update today?


***

[languy]

yes i did have the newest update and even did a boot time scan with it, nothing, it didn't even pickit up. i also used trend micro and that didn't catch it.

[languy]

i found some more info someone got some info on the ip address it tries to contact and this is what i found, i got it off the google groups thing:

 
I know how to deal with it. I want to know what EXACTLY it is, what it
does, how did it get there?

Did the internic thing,
inetnum:         81.177.3.0 - 81.177.3.255
netname:         BESTTEST-RU
descr:           besTTest - HW lab,
descr:           Moscow, Russia
country:         RU
admin-c:         AV1919-RIPE
tech-c:          AV1919-RIPE
status:          ASSIGNED PA
mnt-by:          AS8342-MNT
source:          RIPE # Filtered
person:          Anatoliy Voronin
address:         BesTTest HardWare Lab.
address:         125364, Moscow, Russia
address:         Norilskaya str., 13A
e-mail:          admin@besttest.ru
e-mail:          vandal@allforum.ru
remarks:         phone:        +7 095 5447337
phone:           +7 495 5447337
remarks:         fax-no:       +7 095 5447337
fax-no:          +7 495 5447337
nic-hdl:         AV1919-RIPE
source:          RIPE # Filtered
remarks:         modified for Russian phone area changes
% Information related to '81.176.0.0/15AS8342'
route:           81.176.0.0/15
descr:           RTCOMM-RU
origin:          AS8342
mnt-by:          AS8342-MNT
source:          RIPE # Filtered



Looks like a Russian Zombie Bot Master. My question would be "How did
he get his little file on my machine???"

[CharleyO]

***

While it does seem to be somewhat suspitious, maybe this Google search will shed some light.

http://search.earthlink.net/search?q=BesTTest+HardWare+Lab&area=earthlink-ws&FD=0&channel=narrowband

Maybe you have recently added some software or program that might be causing this? Anatoliy Voronin does not seem to be hiding and has a company website.


***

[languy]

maybe he just works for them, or maybe he is just using one of their servers with the company knowing it. anyone else find out any info? i also sent the fiel to www.virustotal.com and they will also distribute it to software companies to see if they can find out what it is. this is the result i got , some virus companies know about it why don't you guys add it to your list.

Antivirus     Version        Update      Result
AntiVir        6.34.0.14    03.23.2006 TR/Dldr.Small.ciw.5
Avast       4.6.695.0      03.23.2006 no virus found
AVG               386          03.23.2006 Downloader.Generic.VGO
Avira         6.34.0.54      03.23.2006 TR/Dldr.Small.ciw.5
BitDefender 7.2             03.23.2006 Trojan.Downloader.Tibs.BT
CAT-QuickHeal 8.00       03.23.2006 no virus found
ClamAV devel-20060126 03.23.2006 no virus found
DrWeb         4.33             03.23.2006 Trojan.DownLoader.6811
eTrust-InoculateIT 23.71.109 03.23.2006 Win32/Sinteri.7095!Trojan
eTrust-Vet 12.4.2131      03.23.2006 Win32/Sinteri!downloader
Ewido          3.5              03.23.2006 Downloader.Small.ciw
Fortinet    2.71.0.0            03.23.2006 W32/Small.CIW!dldr
F-Prot       3.16c              03.22.2006 no virus found
Ikarus       0.2.59.0        03.23.2006 Trojan-Downloader.Win32.Small.CIW
Kaspersky 4.0.2.24        03.23.2006 Packed.Win32.Tibs
McAfee       4724             03.22.2006 no virus found
NOD32v2 1.1455             03.22.2006 no virus found
Norman     5.70.10          03.23.2006 no virus found
Panda        9.0.0.4          03.23.2006 Suspicious file
Sophos      4.03.0           03.23.2006 Troj/DwnLdr-AJY
Symantec     8.0              03.23.2006 Download.Trojan
TheHacker  5.9.7.118      03.23.2006 no virus found
UNA              1.83            03.23.2006 TrojanDownloader.Win32.Small
VBA32         3.10.5           03.22.2006 Trojan.DownLoader.6811

[languy]

also found something else its got a prefetch file too, i did a search (start\search) and got this VOBLAZDUPLA.EXE-1B41BE58.pf and its located in C:\windows\prefetch

[Lisandro]

also found something else its got a prefetch file too, i did a search (start\search) and got this VOBLAZDUPLA.EXE-1B41BE58.pf and its located in C:\windows\prefetch

This file is there because Windows stores the info about the executables used in the computer.
It is a 'tentative' of speeding up the applications start.
This file, .pf, don't harm your system. It only indicates that you run the .exe in the past.
You can delete it safely.

[DavidR]

If you are not getting a virus warning that you believe is a new, undetected virus, then if you can zip and password protect ('virus', will do) the suspect file and send it to virus @ avast.com (no spaces), or send from the chest.

Give a brief outline of the problem (possibly a link to this thread), the fact that you believe it to be a either a new, undetected virus and include the password in the body of the email. Some info on the avast version and VPS number (see about avast {right click avast icon}) will also help.

1. Once you have sent it to avast, they will have a sample that they can use to update the VPS signatures.
2. Add the infected file/s to the User Files section of the virus chest, periodically scan those files inside the chest this when detected will show it is in the VPS and you can delete it from the chest.

If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode Ewido Security Suite, this is more of a specialist anti-trojan program.

[languy]

ok done i sent it, yeah i might just have to download ewido because from what list i have it can detect that tojan.

[languy]

ok downloaded ewido and installed it it does catch it, so thats good. but i will wait to see if avast will have a update and catch it. i have it blocked off from the net so it can't do anything its just sitting there. we will see what happens. i just did another search on google and there are a ton more pages popping up. so the word is getting out slowely.

[Lisandro]

ok downloaded ewido and installed it it does catch it

Which is the name of the malware (not the file name)?

i just did another search on google and there are a ton more pages popping up. so the word is getting out slowely.

Maybe you were the first one... I don't know if I congratulate you or if I cry for you 

[CharleyO]

***

Well, languy surely is the first on this forum to "catch it" and, thankfully for the rest of us, came here to report it.   


***