Threat Description

Trojan-Downloader:​W32/Zlob

Details

Aliases:Trojan.downloader.zlob.cp, Trojan.downloader.zlob, softcodec, powercodec, media-codec, mediacodec, uptodateprotection, vccodec, Zlob
Category:Malware
Type:Trojan-Downloader
Platform:W32

Summary



This type of trojan secretly downloads malicious files from a remote server, then installs and executes the files.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details



Trojan-Downloader:W32/Zlob is a large family of malicious programs that download and install Spyware and Adware applications such as:

  • MalwareWipe
  • SpyAxe
  • SpyFalcon
  • SpywareQuake
  • SpywareStrike
  • WinAntivirusPro

Many of these applications may also be classified as Rogueware.

Some later Zlob variants include a backdoor component which allow the attacker to manipulate the victim's PC.

Installation

Zlob itself is installed on the system by tricking the user into downloading a fake codec or protection system, such as:

  • HQCodec
  • iCodecPack
  • IntCodec
  • iVideoCodec
  • JpegEncoder
  • KeyCodec
  • MedCodec
  • Media-Codec
  • MMCodec
  • MMedia Codec
  • PlayerCodec
  • PornPassManager
  • PowerCodec
  • SoftCodec
  • TrueCodec
  • UpToDateProtection
  • VCCodec
  • VidCodec
  • VidCodecs
  • VideosCodec
  • X Pass Generator
  • XXXCodec
  • ZipCodec

Note: Most of the names above are also .com domains as well, e.g. VidCodecs.com. The installation process creates some of these files (depends on the variant).

  • %DESTDIR%\hpXXXX.tmp
  • %DESTDIR%\iesplugin.dll
  • %DESTDIR%\iesuninst.exe
  • %DESTDIR%\isaddon.dll
  • %DESTDIR%\isamini.exe
  • %DESTDIR%\isamonitor.exe
  • %DESTDIR%\isauninst.exe
  • %DESTDIR%\ishost.exe
  • %DESTDIR%\ismon.exe
  • %DESTDIR%\isnotify.exe
  • %DESTDIR%\issearch.exe
  • %DESTDIR%\ldXXXX.tmp
  • %DESTDIR%\mscornet.exe
  • %DESTDIR%\mssearchnet.exe
  • %DESTDIR%\nvctrl.exe
  • %DESTDIR%\pmmon.exe
  • %DESTDIR%\pmsngr.exe
  • %DESTDIR%\pmuninst.exe

Depending on the variant of Zlob, %DESTDIR% represents:

  • Windows\System32 folder
  • Folder located in the Program Files, named the same as the fake codec. For example: C:\Program Files\IntCodec\

During installation, the following registry keys and Class IDs are created:

  • HKEY_CLASSES_ROOT\CLSID\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objecta
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects





SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More