Home / malwarePDF  

Trojan-Downloader:W32/Zlob


First posted on 23 July 2010.
Source: SecurityHome

Aliases :

There are no other names known for Trojan-Downloader:W32/Zlob.

Explanation :

This type of trojan secretly downloads malicious files from a remote server, then installs and executes the files.

Additional DetailsTrojan-Downloader:W32/Zlob is a large family of malicious programs that download and install Spyware and Adware applications such as:

€ MalwareWipe € SpyAxe € SpyFalcon € SpywareQuake € SpywareStrike € WinAntivirusPro
Many of these applications may also be classified as Rogueware.

Some later Zlob variants include a backdoor component which allow the attacker to manipulate the victim's PC.


Installation

Zlob itself is installed on the system by tricking the user into downloading a fake codec or protection system, such as:

€ HQCodec € iCodecPack € IntCodec € iVideoCodec € JpegEncoder € KeyCodec € MedCodec € Media-Codec € MMCodec € MMedia Codec € PlayerCodec € PornPassManager € PowerCodec € SoftCodec € TrueCodec € UpToDateProtection € VCCodec € VidCodec € VidCodecs € VideosCodec € X Pass Generator € XXXCodec € ZipCodec
Note: Most of the names above are also .com domains as well, e.g. VidCodecs.com.

The installation process creates some of these files (depends on the variant).

€ %DESTDIR%\hpXXXX.tmp € %DESTDIR%\iesplugin.dll € %DESTDIR%\iesuninst.exe € %DESTDIR%\isaddon.dll € %DESTDIR%\isamini.exe € %DESTDIR%\isamonitor.exe € %DESTDIR%\isauninst.exe € %DESTDIR%\ishost.exe € %DESTDIR%\ismon.exe € %DESTDIR%\isnotify.exe € %DESTDIR%\issearch.exe € %DESTDIR%\ldXXXX.tmp € %DESTDIR%\mscornet.exe € %DESTDIR%\mssearchnet.exe € %DESTDIR%\nvctrl.exe € %DESTDIR%\pmmon.exe € %DESTDIR%\pmsngr.exe € %DESTDIR%\pmuninst.exe
Depending on the variant of Zlob, %DESTDIR% represents:

€ Windows\System32 folder
€ Folder located in the Program Files, named the same as the fake codec.
For example: C:\Program Files\IntCodec\

During installation, the following registry keys and Class IDs are created:

€ HKEY_CLASSES_ROOT\CLSID\ € HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler € HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run € HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad € HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run € HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objecta € HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

Last update 23 July 2010

 

TOP

Malware :