Home / malware Zlob
First posted on 01 March 2007.
Source: SecurityHomeAliases :
Zlob is also known as W32/Zlob, Trojan-Downloader.Win32.Zlob, Win32.Trojandownloader.Zlob.
Explanation :
Zlob is a Trojan. Zlob attempts to hiddenly download and run other files from remote web sites and shows fake error messages. Zlob copies itself to the Windows folder and changes startup and search pages of Internet Explorer.
- MalwareWipe
- SpyAxe
- SpyFalcon
- SpywareQuake
- SpywareStrike
- WinAntivirusPro
Some of the recent versions include a backdoor component which allow the attacker to manipulate the victim's PC. Zlob itself is installed on the system by tricking the user into downloading a fake codec or protection system, such as:
- HQCodec
- iCodecPack
- IntCodec
- iVideoCodec
- JpegEncoder
- KeyCodec
- MedCodec
- Media-Codec
- MMCodec
- MMedia Codec
- PlayerCodec
- PornPassManager
- PowerCodec
- SoftCodec
- TrueCodec
- UpToDateProtection
- VCCodec
- VidCodec
- VidCodecs
- VideosCodec
- X Pass Generator
- XXXCodec
- ZipCodec
Note: Most of the names above are also .com domains as well, e.g. VidCodecs.com.
The installation process creates some of these files (depends on the variant).
- %DESTDIR%hpXXXX.tmp
- %DESTDIR%iesplugin.dll
- %DESTDIR%iesuninst.exe
- %DESTDIR%isaddon.dll
- %DESTDIR%isamini.exe
- %DESTDIR%isamonitor.exe
- %DESTDIR%isauninst.exe
- %DESTDIR%ishost.exe
- %DESTDIR%ismon.exe
- %DESTDIR%isnotify.exe
- %DESTDIR%issearch.exe
- %DESTDIR%ldXXXX.tmp
- %DESTDIR%mscornet.exe
- %DESTDIR%mssearchnet.exe
- %DESTDIR%
vctrl.exe - %DESTDIR%pmmon.exe
- %DESTDIR%pmsngr.exe
- %DESTDIR%pmuninst.exe
Depending on the variant of Zlob, %DESTDIR% represents:
- WindowsSystem32 folder
- Folder located in the Program Files, named the same as the fake codec.
For example: C:Program FilesIntCodec
Creates registry run keys and Class IDs in:
- HKEY_CLASSES_ROOTCLSID
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerSharedTaskScheduler
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesexplorer
un - HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorer
Browser Helper Objecta - HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorer
Browser Helper Objects
Last update 01 March 2007