Home / malwarePDF  

Trojan:Win32/Zlob.GL


First posted on 04 February 2009.
Source: SecurityHome

Aliases :

Trojan:Win32/Zlob.GL is also known as Also Known As:Win32/Zlob.EE (CA), Trojan.Agent.ALPJ (BitDefender), Trojan.Win32.Agent.bhol (Kaspersky), Puper (McAfee), Trojan.Zlob (Symantec).

Explanation :

Trojan:Win32/Zlob.GL is a dropped component of Trojan:Win32/Zlob.GL!dr. Win32/Zlob refers to a large multi-component family of malware that modifies Internet Explorer's settings, alters and redirects the user's default Internet search page and home page, and attempts to download and execute arbitrary files (including additional malicious software). The Win32/Zlob family has also been associated with rogue security programs that display misleading warnings regarding bogus malware infections.

Symptoms
System ChangesThe following system changes may indicate the presence of this malware:

  • The presence of the following files:
    svch_st.exe
    svcnost.exe


    • Trojan:Win32/Zlob.GL is a dropped component of Trojan:Win32/Zlob.GL!dr. Win32/Zlob refers to a large multi-component family of malware that modifies Internet Explorer's settings, alters and redirects the user's default Internet search page and home page, and attempts to download and execute arbitrary files (including additional malicious software). The Win32/Zlob family has also been associated with rogue security programs that display misleading warnings regarding bogus malware infections.

    Installation
    Trojan:Win32/Zlob.GL arrives in the system as a dropped file of Trojan:Win32/Zlob.GL!dr and is usually installed in the Windows system folder using file names such as the following:
  • svch_st.exe
  • svcnost.exe
    • It loads the following DLL file:
    %APPDATA%Microsoftits.dll - detected as Trojan:Win32/Zlob.GL.dll, also dropped by Trojan:Win32/Zlob.GL!dr It creates the mutex "WinUpdaterMuXXX" and the data file %APPDATA%Microsoftprofile.dat.

    Payload
    Steals InformationTrojan:Win32/Zlob.GL checks if the following processes are running:
  • explorer.exe
  • firefox.exe
  • opera.exe
  • chrome.exe
    • If any of these processes are found, it attempts to load the following DLL into the process space:
    %APPDATA%Microsoftipdll.dll - detected as Trojan:Win32/Zlob.GL.dll, also dropped by Trojan:Win32/Zlob.GL!dr It checks for the values from the following registry keys, which may contain sensitive system information:
    HKLMSOFTWAREMicrosoftWindowsCurrentVersionWindowsUpdateSusClientId
    HKLMSOFTWAREMicrosoftWindows NTCurrentVersionProductId The collected data is sent to a remote attacker with the following format:
    <domain>/xdone2.php?sacc=<number>&t=<number>&guid=<SusClientId>||<ProductId> where domains may be:
  • bestworldguide.com
  • i5i.in
    • It can also connect to remote sites such as the domains indicated above to download and install additional malware or Zlob components.

    Analysis by Elda Dimakiling

    Last update 04 February 2009

     

    TOP

    Malware :

    Family: