Since I wrote about voblaizdupla the other day, a couple of things have happened.
Firstly the word voblaizdupla has shot to the top, by a large margin, of the search terms used to find this site.
Secondly, Google now has some hits for this, including a link to a thread on the vnunet forums about it. It sounds like a nasty little bugger. One poster there says:
VOBLAIZDUPLA.EXE is a trojan downloader that download a file, called parad.raw.exe from a still up webserver. From the webserver it download a clean dll, called zlbw.dll, and some garbage files, then a copy of parad.raw.exe is done and called taskdir.exe. Taskdir.exe is a new variant of trojan Lager. It contains a dll embeeded, called taskdir.dll.
taskdir.dll is then “injected” in every system process. This dll has “rootkit” features, because it hide every file or directory called “taskdir” from user’s eyes. (this is to hide taskdir.exe execution).
Fortunately, a subsequent poster says:
There is a program that will remove it, and can be downloaded with a 60 day free trial. Prevx1:
http://info.prevx.com/downloadremove.asp
All the antivirus companies are probably working their socks off to incorporate this into their updates, but that download might be worth looking into. As my firewall blocked the original attempt to call out I do not have parad.raw.exe or zlbw.dll anywhere.
Today’s heartfelt consumer recommendation – Zonealarm firewall. I’m using the free version and its saved me a lot of hassle by blocking this attempt to do all sorts of nastiness to my PC.
Also found zhopaizdupla.exe behaving the same way in /system32. It is mutating. Can someone post the sites that it is trying to connect to or a url string that I could use to block activity on the router/firewall?
Also, I opened the DLL file in notepad and found the following ascii text within the contents. I wonder if those files are also infected, they have similar file dates. I have been experiencing loadLibraryA BO:HEAP problems lately. hmmm…
KERNEL32.DLL ADVAPI32.DLL CRTDLL.DLL WS2_32.DLL LoadLibraryA GetProcAddress ExitProcess RegCloseKey
I’m no expert in all this – I tend to rely on my AV being up-to-date. In my case the firewall trapped the activity because it routinely blocks any calls out from unknown/unauthorised processes.
I must have been an early victim as Google had nothing about it when I first spotted it, but by now there is a lot more info on this elsewhere – despite the fact that half my traffic comes from searches for parad.raw.exe and all the rest.
All I can say is, make sure you have a firewall and AV software. Make sure the AV is updated often and keep the firewall as tightly defined as possible, especially on calls out.
Ya when I was first hit, google had nothing also… My AV software (McAfee VirusScan) still doesn’t recognize it… I think it might be time to dump this memory hog and download prevx. I found it has a free beta going at http://free.prevx.com/. And look on the bright side, you’ve got a wider range of people viewing your site now! 🙂
I also got nailed. I wouldn’t have known unless I noticed alot of LAN activity, then begin to see why. I opened the task manager and noticed that parad.raw.exe was hitting the processor about 2 or 3%, closed it and the LAN acivtiy stoped. I saw some post on Prevx1, so I downloaded it and it is scanning my PC now.
For God’s sake, some please put an end to this Spyware/Virus shit!