Monday, February 25, 2008

postcard.gif.exe - 63e8fe1363431d2e56f38141a35278d3

* name: postcard.gif.exe
* size: 878374
* md5.: 63e8fe1363431d2e56f38141a35278d3



AntiVir 7.6.0.67/20080225 found [HIDDENEXT/Worm.Gen]
Authentium 4.93.8/20080226 found [could be infected with an unknown virus]
Avast 4.7.1098.0/20080225 found [IRC:Zapchast-D]
AVG 7.5.0.516/20080226 found [IRC/BackDoor.Flood]
BitDefender 7.2/20080226 found [Backdoor.Zapchast.Z]
ClamAV 0.92.1/20080226 found [Trojan.IRCBot-96]
DrWeb 4.44.0.09170/20080225 found [Win32.Parite.2]
eSafe 7.0.15.0/20080226 found [Win32.IRC.Zapchast]
Ewido 4.0/20080225 found [Backdoor.Zapchast.z]
F-Prot 4.4.2.54/20080225 found [W32/Heuristic-300!Eldorado]
F-Secure 6.70.13260.0/20080226 found [Backdoor.IRC.Zapchast]
Fortinet 3.14.0.0/20080225 found [REG/Zapchast.4D53!tr.bdr]
Ikarus T3.1.1.20/20080226 found [Backdoor.IRC.Zapchast]
Kaspersky 7.0.0.125/20080226 found [Backdoor.IRC.Zapchast]
McAfee 5237/20080225 found [IRC/Generic Flooder]
Microsoft 1.3204/20080226 found [Backdoor:IRC/Zapchast.AN]
NOD32v2 2901/20080225 found [IRC/Zapchast.Z]
Norman 5.80.02/20080225 found [Pinfi.A.dropper]
Rising 20.33.02.00/20080225 found [Win32.Parite.b]
Sophos 4.27.0/20080226 found [Mal/Zapchas-C]
Sunbelt 3.0.893.0/20080223 found [Trojan.Zapchas.F]
Symantec 10/20080226 found [IRC Trojan]
TheHacker 6.2.9.229/20080225 found [Adware/2Search]
VBA32 3.12.6.2/20080226 found [Trojan.IRC.Zapchast.H]
VirusBuster 4.3.26:9/20080225 found [IRC.Zapchast.AQ]
Webwasher-Gateway 6.6.2/20080225 found [Virus.HIDDENEXT/Worm.Gen]

ekvgsnw.dll - 39bfebf001bfdd44830076e378958c4a

* name: ekvgsnw.dll
* size: 84451
* md5.: 39bfebf001bfdd44830076e378958c4a


AntiVir 7.6.0.67/20080225 found [ADSPY/AdSpy.Gen]
AVG 7.5.0.516/20080226 found [Downloader.Zlob.SE]
Microsoft 1.3204/20080226 found [Adware:Win32/Vapsup]
Prevx1 V2/20080226 found [KAVKOP:Trojan-A]
Sophos 4.27.0/20080226 found [Mal/Zlob-I]
Webwasher-Gateway 6.6.2/20080225 found [Ad-Spyware.AdSpy.Gen]

dgtxrdfrmw.dll - 9432a1b6b11bf5247291e68763b25938

* name: dgtxrdfrmw.dll
* size: 108190
* md5.: 9432a1b6b11bf5247291e68763b25938


AVG 7.5.0.516/20080226 found [Downloader.Zlob.AAQ]
Microsoft 1.3204/20080226 found [Trojan:Win32/Zlob.ZWY]
Prevx1 V2/20080226 found [Downloader.Zlob]
VBA32 3.12.6.2/20080226 found [suspected of Downloader.Zlob.8]

bxlrvps.dll - 8120d45ce090c65fd864ac8f48cf87cf

* name: bxlrvps.dll
* size: 108451
* md5.: 8120d45ce090c65fd864ac8f48cf87cf

AntiVir 7.6.0.67/20080225 found [ADSPY/Agent.PB]
Avast 4.7.1098.0/20080225 found [Win32:Agent-LTS]
AVG 7.5.0.516/20080226 found [Downloader.Zlob.AAS]
Prevx1 V2/20080226 found [Generic.Malware]
VBA32 3.12.6.2/20080226 found [suspected of Downloader.Zlob.5]
Webwasher-Gateway 6.6.2/20080225 found [Ad-Spyware.Agent.PB]

alofkmn.dll - 0e962ef1d4eb86162cd02b72c4689d86

* name: alofkmn.dll
* size: 86422
* md5.: 0e962ef1d4eb86162cd02b72c4689d86


AVG 7.5.0.516/20080226 found [Downloader.Zlob.AAM]
F-Prot 4.4.2.54/20080225 found [W32/FakeAlert.E.gen!Eldorado]
Ikarus T3.1.1.20/20080226 found [Virus.Win32.Agent.LTS]
Prevx1 V2/20080226 found [Downloader.Zlob]
VBA32 3.12.6.2/20080226 found [suspected of Downloader.Zlob.5]

AlrtDrv.dll - 24326ce4cd6569dbc965c318c4c49d61

* name: AlrtDrv.dll
* size: 14326
* md5.: 24326ce4cd6569dbc965c318c4c49d61

AntiVir 7.6.0.67/20080225 found [TR/Crypt.XPACK.Gen]
Ikarus T3.1.1.20/20080226 found [BehavesLikeTrojan.ShellObject]
Kaspersky 7.0.0.125/20080226 found [Heur.Trojan.Generic]
Norman 5.80.02/20080225 found [W32/Smalltroj.CWNE]
Prevx1 V2/20080226 found [Downloader.Zlob]
Webwasher-Gateway 6.6.2/20080225 found [Trojan.Crypt.XPACK.Gen]

JavaCore.exe -

* name: JavaCore.exe
* size: 79801
* md5.: 780913add22a55b787f3eb9934e8207f

BitDefender 7.2/20080225 found [Adware.JCore.A]
DrWeb 4.44.0.09170/20080224 found [Trojan.Insider.origin]
Fortinet 3.14.0.0/20080224 found [Adware/Insider]
Kaspersky 7.0.0.125/20080225 found [not-a-virus:AdWare.Win32.Insider.b]
Prevx1 V2/20080225 found [Generic.Malware]
TheHacker 6.2.9.228/20080223 found [Adware/Insider.b]

iqykxi.exe - ee3a48d89399e3ad6b1576a28db4d30d

* name: iqykxi.exe
* size: 183063
* md5.: ee3a48d89399e3ad6b1576a28db4d30d



AVG 7.5.0.516/20080226 found [SHeur.ATOO]
eSafe 7.0.15.0/20080221 found [Suspicious File]
F-Secure 6.70.13260.0/20080225 found [Backdoor.Win32.IRCBot.bol]
Fortinet 3.14.0.0/20080225 found [W32/IRCBot.BOL!tr.bdr]
Kaspersky 7.0.0.125/20080226 found [Backdoor.Win32.IRCBot.bol]
Microsoft 1.3204/20080226 found [Backdoor:Win32/Oderoor.gen!B]
NOD32v2 2901/20080225 found [Win32/Agent.NHE]
Panda 9.0.0.4/20080225 found [W32/MSNPhoto.AB.worm]
Prevx1 V2/20080226 found [SHeur.ATOO]
Webwasher-Gateway 6.6.2/20080225 found [Win32.Malware.gen (suspicious)]

antivir.exe - 448ea9863debe13966a7f809e7f8f8ff

* name: antivir.exe
* size: 42358
* md5.: 448ea9863debe13966a7f809e7f8f8ff

AntiVir 7.6.0.67/20080218 found [TR/Crypt.XPACK.Gen]
BitDefender 7.2/20080218 found [Trojan.Spy.ZBot.V]
eSafe 7.0.15.0/20080217 found [Suspicious File]
Sophos 4.26.0/20080218 found [Sus/Behav-192]
Webwasher-Gateway 6.6.2/20080218 found [Trojan.Crypt.XPACK.Gen]

Sunday, February 17, 2008

Safe Strip Related Submissions (Rogue)

Earlier today we received these 4 files from a user at BleepingComputer.com
The detection is extremely low. I started to analyze these in my VM and figured it was worth mentioning these because very little information was available on Google.

The reason I titled this post "Safe Strip Related Submissions" is the url I found in each of these files that takes you to the "Safe Strip" download page.

After running for about 15 minutes I finally started to get the balloon tips:

 Even some pretty error messages:



And of course I can't forget my pretty new desktop background:

Oh yeah and a popup for advanced cleaner:

Hijack This entries associated with these:

O4 - HKLM\..\Run: [SMSERIALWORKSTARTER] "C:\WINDOWS\comsysobj.exe"
O4 - HKLM\..\Run: [SMSERIALWORKERSTART] "C:\WINDOWS\shellexcon.exe"
O4 - HKLM\..\Run: [SMSERIALSTARTER] "C:\WINDOWS\win32st.exe"
O4 - HKLM\..\Run: [SMSERIALWORKERSTARTER] "C:\WINDOWS\winstrse.exe"
Virustotal Scans:
* name: winstrse.exe
* size: 13899
* md5.: ed5db9136e502a87bdc20f36c787a977


Webwasher-Gateway 6.6.2/20080215 found [Virus.Win32.FileInfector.gen!90 (suspicious)]


* name: comsysobj.exe
* size: 13477
* md5.: 17195c2104aee64b598aa815332bb6a4


Panda 9.0.0.4/20080217 found [Adware/SpyBurner]
Webwasher-Gateway 6.6.2/20080215 found [Virus.Win32.FileInfector.gen!90 (suspicious)]

* name: shellexcon.exe
* size: 15479
* md5.: 3fe0e32201f34616edb7447e976df470

AntiVir 7.6.0.67/20080215 found [HEUR/Malware]
Webwasher-Gateway 6.6.2/20080215 found [Heuristic.Malware]



* name: win32st.exe
* size: 36864 bytes
* md5.: 7dfb42300357f7b50ba763497e6c41c7

AntiVir 7.6.0.67/20080215 found [HEUR/Malware]
Webwasher-Gateway 6.6.2/20080215 found [Heuristic.Malware]


The files had the following URL's in the strings:

http: //theonlybookmark.com/in.cgi
http: //safe-strip-download.com/soft/in.cgi



Once the files finally started doing their thing I finally got a new IE window that opened to a SystemErrorFixer webpage:
http: //systemerrorfixer.com/clean/?cmpname=swpges31&eai=
swp_ges&eli=3948&eaf=pp_1685211491&eu=http%3A%2F%2F advancedcleaner.com%2F.cleaner%2Findex.php%3Ftmn%3 Dadctmp%26clone_name%3Dswpadcex %26led%3D3948%26afr% 3Dpp_1685211491&ed=0&ex=0&h=10&cmpname=null&mt_info= 4141_0_1556
and to
https ://www.anonymouschannel.com/home?pin=anzf3e

Which appears to be a fake Virtual Private Network manager.

Thanks to WlkingMan for submitting these files.


Surf Safe,
Dave

Saturday, February 16, 2008

svchost.exe - 9e3c13b6556d5636b745d3e466d47467

* name: svchost.exe-submit.zip
* size: 15783
* md5.: 9e3c13b6556d5636b745d3e466d47467


AntiVir 7.6.0.67/20080215 found [W32/Hidrag.a]
Authentium 4.93.8/20080215 found [W32/Jeefo.A]
Avast 4.7.1098.0/20080215 found [Win32:Jeefo]
AVG 7.5.0.516/20080216 found [Win32/Hidrag.A]
BitDefender 7.2/20080216 found [Win32.Jeefo.A]
CAT-QuickHeal None/20080216 found [W32.Jeefo.A]
ClamAV 0.92.1/20080216 found [W32.Jeefo-3]
DrWeb 4.44.0.09170/20080216 found [Win32.HLLP.Jeefo.36352]
eSafe 7.0.15.0/20080214 found [Win32.Hidrag.a]
eTrust-Vet 31.3.5541/20080215 found [Win32/Jeefo.A]
Ewido 4.0/20080216 found [Worm.VB.dz]
F-Prot 4.4.2.54/20080215 found [W32/Jeefo.A]
F-Secure 6.70.13260.0/20080215 found [Virus.Win32.Hidrag.a]
Fortinet 3.14.0.0/20080216 found [W32/Jeefo.A]
Ikarus T3.1.1.20/20080216 found [Win32.Hidrag]
Kaspersky 7.0.0.125/20080216 found [Virus.Win32.Hidrag.a]
McAfee 5231/20080215 found [W32/Jeefo]
Microsoft 1.3204/20080216 found [Virus:Win32/Jeefo.A]
NOD32v2 2880/20080215 found [Win32/Jeefo.A]
Norman 5.80.02/20080215 found [W32/Hidrag.A]
Panda 9.0.0.4/20080216 found [W32/Jeefo.A.drp]
Prevx1 V2/20080216 found [Generic.Malware]
Rising 20.31.50.00/20080216 found [Win32.Hidrag]
Sophos 4.26.0/20080216 found [W32/Jeefo-A]
Sunbelt 2.2.907.0/20080216 found [Jeefo (v)]
Symantec 10/20080216 found [W32.Jeefo]
TheHacker 6.2.9.221/20080215 found [W32/Jeefo.gen]
VBA32 3.12.6.1/20080214 found [Win32.HLLP.Jeefo]
VirusBuster 4.3.26:9/20080215 found [Win32.Hidrag]
Webwasher-Gateway 6.6.2/20080215 found [Win32.Hidrag.a]


Ma72Pan.exe - 9b6a68204fa80c20d39ebd0da0024085

* name: Ma72Pan.exe-submit.zip
* size: 84508
* md5.: 9b6a68204fa80c20d39ebd0da0024085


Ikarus T3.1.1.20/20080217 found [Backdoor.Win32.Rbot.c]



Thursday, February 14, 2008

rjmtjp.exe - d54d475125f7f6aa48d42f3f1122193a


* name: rjmtjp.exe
* size: 11910
* md5.: d54d475125f7f6aa48d42f3f1122193a

AVG 7.5.0.516/20080213 found [BackDoor.RBot.BI]
BitDefender 7.2/20080214 found [Backdoor.Irc.Sdbot.KC]
DrWeb 4.44.0.09170/20080213 found [BackDoor.IRC.Sdbot.945]
eSafe 7.0.15.0/20080213 found [Suspicious File]
F-Secure 6.70.13260.0/20080214 found [W32/Ircbot.dam]
Norman 5.80.02/20080213 found [W32/Ircbot.dam]
Panda 9.0.0.4/20080214 found [W32/Poebot.MW.worm]
Prevx1 V2/20080214 found [Worm.Ircbot.Gen]
Symantec 10/20080214 found [W32.IRCBot.Gen]
Webwasher-Gateway 6.6.2/20080214 found [Win32.Malware.dam (suspicious)]

packers: PE_Patch
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=AFC4ACC53825F0C930750061744E5E003D313D9A

Wednesday, February 13, 2008

Setup.exe - dd13a676ffee2688d9046c3084362feb


* name: Setup.exe
* size: 58794
* md5.: dd13a676ffee2688d9046c3084362feb

AntiVir 7.6.0.65/20080213 found [WORM/P2P.Kapucen.Gen]
Authentium 4.93.8/20080213 found [W32/Kapucen.gen1@p2p]
Avast 4.7.1098.0/20080213 found [Win32:Kapucen]
AVG 7.5.0.516/20080213 found [Win32/Puce.C]
BitDefender 7.2/20080213 found [Win32.Worm.P2P.Puce.G]
CAT-QuickHeal None/20080213 found [I-Worm.Kapucen.b]
ClamAV 0.92/20080213 found [Worm.Puce.E]
DrWeb 4.44.0.09170/20080213 found [Win32.HLLW.Puce]
eTrust-Vet 31.3.5532/20080212 found [Win32/Puce.D]
F-Prot 4.4.2.54/20080212 found [W32/Kapucen.gen1@p2p]
F-Secure 6.70.13260.0/20080213 found [P2P-Worm.Win32.Kapucen.b]
Fortinet 3.14.0.0/20080213 found [W32/Kapucen.B!worm.p2p]
Ikarus T3.1.1.20/20080213 found [P2P-Worm.Win32.Kapucen.b]
Kaspersky 7.0.0.125/20080213 found [P2P-Worm.Win32.Kapucen.b]
McAfee 5228/20080212 found [W32/Puce]
Microsoft 1.3204/20080213 found [Worm:Win32/Puce.Y]
NOD32v2 2872/20080213 found [Win32/Kapucen.B]
Norman 5.80.02/20080212 found [Kapucen.A]
Panda 9.0.0.4/20080213 found [W32/Puce.E.worm]
Prevx1 V2/20080213 found [TROJAN.MUDROP.DU]
Sophos 4.26.0/20080213 found [W32/Puce-H]
Symantec 10/20080213 found [W32.Ecup]
VirusBuster 4.3.26:9/20080213 found [Worm.Kapucen.A]
Webwasher-Gateway 6.6.2/20080213 found [Worm.P2P.Kapucen.Gen]

Tuesday, February 12, 2008

AcroIEHelper.dll - 32929bace82a07c26c1d3877176cb2a9

* submitter: Milkdad
* name: AcroIEHelper.dll
* size: 227894
* md5.: 32929bace82a07c26c1d3877176cb2a9


AntiVir 7.6.0.62/20080212 found [TR/Dldr.Delf.eqb.1]
AVG 7.5.0.516/20080211 found [Downloader.Generic6.AICW]
BitDefender 7.2/20080212 found [Trojan.Downloader.Codec.E]
CAT-QuickHeal None/20080211 found [TrojanDownloader.Delf.eqb]
F-Prot 4.4.2.54/20080211 found [W32/Banload.E.gen!Eldorado]
F-Secure 6.70.13260.0/20080212 found [Trojan-Downloader.Win32.Delf.eqb]
Fortinet 3.14.0.0/20080212 found [W32/Delf.EQB!tr.dldr]
Ikarus T3.1.1.20/20080212 found [Trojan-Downloader.Delf.OGX]
Kaspersky 7.0.0.125/20080212 found [Trojan-Downloader.Win32.Delf.eqb]
Microsoft 1.3204/20080211 found [Trojan:Win32/Delflob.I]
Prevx1 V2/20080212 found [Generic.Malware]
Webwasher-Gateway 6.6.2/20080212 found [Trojan.Dldr.Delf.eqb.1]

packers: ASPack
Av's that added because of your submission:

Avira: TR/Dldr.Delf.eqb.1

Monday, February 11, 2008

And so it begins.....

The new wave of storm is flowing just in time for Valentines. At the time of this post I've only recieved 3 emails for it and I imagine a lot more to come.

The first with the subject "Phone Love" and a body that simply contained the following:
Love Machine http:// 24.131.212.16/

I of course went to the page to get the newest version and this was the image I found

















Onto the next one I received:
Subject: Valentine Invitation
Body:
Happy Valentine's Day! http:// 200.75.106.166

<---And yet another pretty pic Now for the third:

Subject: Be My Valentine
Body:
Valentine Friends http:// 59.92.53.16/

Ahh another pretty pic, reminds me a elementary school.






The ones thing all of the files have in common is no detection at the time of the post!
Be very careful opening any valentines emails that you receive they could be more trouble than you ever wanted.

http:// 24.131.212.16/ - valentine.exe MD5: d1789d5bbc74bcf4def368f9b9db303e
http:// 200.75.106.166/ - valentine.exe MD5: 8ef7be6c05aca940b1e9cf677d471a41
http:// 59.92.53.16/ - valentine.exe MD5: 74ca598169f8fdee49d04e22c8ac7514

While I was writing this I received another one but it seems to be dead already. Here is the info from it.

Subject: You're Super Sweet
Body:
Love Rose http:// 203.128.211.219/

I've stayed away from the technical details here at least for now. Our friends over at asert.arbornetworks.com have posted some details check it out at:
http://asert.arbornetworks.com/2008/02/new-storm-valentines-day-campaign/

Edit:

Here's some more if the images:


More subject lines and bodies:

Just you: Rockin' Valentine http:// 71.156.93.100/
Rockin' Valentine: My Love http:// 65.34.217.24/
Rockin' Valentine: Powerful Love http:// 58.63.155.16/
My Heart: World Love http:// 76.68.144.52/


Safe surfing!
Uploadmalware.com

The Mega-D botnet that everyone was led to believe was so huge apparently isn't according to a recent blog post at asert.arbornetworks.com

SecureWorks: Ozdok/Mega-D Trojan Analysis

by Danny McPherson

Enabled by some spam samples Marshal provided, Joe Stewart and the good folks @SecureWorks, with an assist from Team Cymru and my|NetWatchman, have identified the malware and botnet referred to as Mega-D.

It turns out Mega-D is composed of bots from the little-known Ozdok malware family. Joe provides some analysis on scale and distribution of the botnet here, as well as some detailed bits on behaviors of the Trojan itself.

Based solely on the hostnames provided in the analysis we (Jose, actually) was able to find three samples in our database, with dates all well over a year old:


Read the full story at the link below.

http://asert.arbornetworks.com/2008/02/secureworks-ozdokmega-d-trojan-analysis/

video.exe - 9f36a92add503d6c08a97d5dc0d5eb8c



* name: video.exe
* size: 91831
* md5.: 9f36a92add503d6c08a97d5dc0d5eb8c


AntiVir 7.6.0.62/20080208 found [TR/Dropper.Gen]
eSafe 7.0.15.0/20080128 found [suspicious Trojan/Worm]
Ikarus T3.1.1.20/20080210 found [Trojan-Spy.Win32.Banker.caw]
Panda 9.0.0.4/20080209 found [Suspicious file]
VBA32 3.12.6.0/20080209 found [suspected of Trojan-IM.VB.1 (paranoid heuristics)]
Webwasher-Gateway 6.6.2/20080209 found [Trojan.Dropper.Gen]


packers: UPX_LZMA
AV's that added because of your submission:

Trojan-Downloader.Win32.Banload.hjl

album_leticia.exe - 532c3c5674bb03464d4d990c291d8a14


* name: album_leticia.exe
* size: 14794
* md5.: 532c3c5674bb03464d4d990c291d8a14


ClamAV 0.92/20080210 found [Trojan.Downloader-13210]
Rising 20.29.22.00/20080130 found [Trojan.DL.Win32.Agent.ejs]
Webwasher-Gateway 6.6.2/20080210 found [Virus.Win32.FileInfector.gen!90 (suspicious)]


AV's that added based on your submission:

Avira Lab: TR/Dldr.Agent.iwf
Kaspersky: Trojan-Downloader.Win32.Agent.iwf

elxxfghg.dll- 227f6af6fb4ae8063b5f7348fd9694ee


* name: elxxfghg.dll
* size: 80084 bytes
* md5.: 227f6af6fb4ae8063b5f7348fd9694ee


AntiVir 7.6.0.62/20080210 found [TR/Dldr.ConHook.Gen]
Avast 4.7.1098.0/20080210 found [Win32:TratBHO]
AVG 7.5.0.516/20080210 found [Lop]
BitDefender 7.2/20080210 found [Trojan.Vundo.DYM]
DrWeb 4.44.0.09170/20080210 found [Trojan.Virtumod.272]
eTrust-Vet 31.3.5522/20080208 found [Win32/Vundo.MO]
F-Prot 4.4.2.54/20080210 found [W32/Virtumonde.G.gen!Eldorado]
Ikarus T3.1.1.20/20080210 found [not-a-virus:AdWare.Win32.Virtumonde]
Kaspersky 7.0.0.125/20080210 found [not-a-virus:AdWare.Win32.Virtumonde.gen]
Microsoft 1.3204/20080210 found [Trojan:Win32/Vundo.gen!A]
Norman 5.80.02/20080208 found [W32/Virtumonde.KYQ]
Panda 9.0.0.4/20080210 found [Suspicious file]
Sophos 4.26.0/20080210 found [Troj/Virtum-Gen]
Symantec 10/20080210 found [Trojan.Adclicker]
TheHacker 6.2.9.215/20080209 found [Adware/Virtumonde.gen]
VirusBuster 4.3.26:9/20080210 found [Adware.Vundo.V.Gen]
Webwasher-Gateway 6.6.2/20080210 found [Trojan.Dldr.ConHook.Gen]




sbsm.exe - ead7b53b7a67d39dfe74ff6fe981d389

* size: 2759 bytes
* md5.: ead7b53b7a67d39dfe74ff6fe981d389

AVG 7.5.0.516/20080211 found [Downloader.Zlob]
F-Secure 6.70.13260.0/20080211 found [Trojan-Downloader.Win32.Zlob.hku]
Kaspersky 7.0.0.125/20080211 found [Trojan-Downloader.Win32.Zlob.hku]
NOD32v2 2865/20080211 found [Win32/TrojanDownloader.Zlob.BPH]
Prevx1 V2/20080211 found [Downloader.Zlob]
Symantec 10/20080211 found [Trojan.Startpage]
VirusBuster 4.3.26:9/20080211 found [Trojan.DL.Zlob.Gen.34]



Edit 1: Added by Ikarus as Virus.Win32.Zlob.AJV
Edit 2: Added by Avira as TR/Dldr.Zlob.hku
Edit 3: Added by DrWeb as Virus: Trojan.Popuper