Home / malware Trojan.Zlob.Q
First posted on 03 February 2016.
Source: SymantecAliases :
There are no other names known for Trojan.Zlob.Q.
Explanation :
When the Trojan is executed, it creates the following files:
%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\[EIGHT RANDOM NUMBERS]%SystemDrive%\Documents and Settings\All Users\Application Data\{145911ff-70c8-1}\BIT1C.tmp%SystemDrive%\Documents and Settings\All Users\Application Data\{2182672b-20c8-0}\BIT1D.tmp
The Trojan creates a PowerShell script that runs once a day and is use to download additional files in the following location:
%SystemDrive%\WINDOWS\Tasks\[RANDOM CLSID].job
The Trojan creates the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\"NameServer" : "199.203.131.151 82.163.143.181"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{121002E0-F353-48CD-926F-EDFFABEE08AF}\"NameServer" : "199.203.131.151.82.163.143.181"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{121002E0-F353-48CD-926F-EDFFABEE08AF}\"DhcpNameServer" : "199.203.131.151"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\"DhcpNameServer" : "199.203.131.151"
The Trojan changes the DNS to one of the following IP addresses:
199.203.131.145 82.163.143.167 199.203.131.150 82.163.143.168 82.163.143.169 82.163.142.171 82.163.143.172 82.163.142.174 199.203.131.151 82.163.143.181 199.203.131.152 82.163.143.182 82.163.142.3 95.211.158.130
The Trojan may connect to and download potentially malicious files from the following domains:
likerut.info/u/ theget.biz/u/ bootfun.info/u/ sportnew.net/u/ ukjobmy.com/u/ moonas.info/u/ fasilmy.info/u/ paneljob.info/u/ usafun.info/u/ safesuns.info/u/ legco.info/u/ ough.info/u/ heato.info/u/ yelts.net/u/ deris.info/u/ big4u.org/u/ listcool.net/u/ listcool.info/u/ monoset.info/u/
The Trojan may steal the following information from the compromised computer:
Operating System typeOperating System major versionOperating System minor versionOperating System buildService pack installedArchitecture typeLast update 03 February 2016