Home / malware

PDF

Dropped:Trojan.Zlob.CND

First posted on 21 November 2011.
Source: BitDefender

Aliases :

Dropped:Trojan.Zlob.CND is also known as Trojan.Win32.BHO.eeg, Trojan-Dropper.Win32.Delf.aho, Trojan.Zlob, TROJ_ZLOB.CCF, Trojan:Win32/Delflob.I.

Explanation :

The actions performed by this malware are:
* downloads a file from the following location http://hotvid55.com/[removed].php?id=[7_digit_number] ,
* sets the key HCUSoftwareMicrosoftBind = <7_digit_number> (the same 7 digit number as in the download link) and
* drops a malware .dll file in the system directory (c:windowssystem32 or c:winntsystem32, depending on the operating system). BitDefender detects the dropped file as Trojan.Zlob.CND.

* This .dll will be registered as a browser helper object, creating the registry key
HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects
{2FF811E6-8925-4084-A649-C159955E67E8} and in this way will ensure autostart capabilities.
Some of the names used for this BHO are: dadef.dll, conio.dll, dapol.dll, nada64.dll, opus64.dll, ...

* The .dll will be registered as a service, by means of regsvr32.exe, in silent mode.
* Also, it changes the security settings of Internet Explorer by modifying some subkeys of the
HKUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsoneMap key.

Last update 21 November 2011

 

TOP