Home / malware TrojanDownloader:Win32/Zlob.JN
First posted on 11 June 2009.
Source: SecurityHomeAliases :
TrojanDownloader:Win32/Zlob.JN is also known as Also Known As:Win-Trojan/Zlob.670720 (AhnLab), Trojan-Downloader.Win32.Zlob.bepk (Kaspersky), Adware.Begin2Search (Symantec).
Explanation :
TrojanDownloader:Win32/Zlob.JN is a member of Win32/Zlob -a family of trojans that modify Internet Explorer settings, redirect the default internet search and home pages, and attempt to download and execute malicious software from the Internet. This particular variant is a BHO designed to redirect search results and display unsolicited advertising on an affected machine.
Symptoms
There are no obvious symptoms that indicate the presence of this malware on an affected machine.
TrojanDownloader:Win32/Zlob.JN is a member of Win32/Zlob -a family of trojans that modify Internet Explorer settings, redirect the default internet search and home pages, and attempt to download and execute malicious software from the Internet. This particular variant is a BHO designed to redirect search results and display unsolicited advertising on an affected machine.
Installation
Zlob.JN is installed using a randomly generated file name that uses the format:ns<letter><4 hexidecimal characters>.dllFor example:nsh9946.dll
nsk9DCB.dll
Payload
Connects to remote host/Displays advertisingWhen Internet Explorer is run, Zlob.JN contacts various pages on the thesuperads.com domain in order to download configuration details and advertising content. This configuration pertains to the type and quantity of pop-up advertisements, as well as to URLs used for redirecting searches to.
Analysis by Matt McCormackLast update 11 June 2009