Select local site

| Japanese | Simplified Chinese | Traditional Chinese (Hong Kong) | Traditional Chinese (Taiwan)

F-Secure Malware Information Pages: Zlob
[Summary] | [Disinfection] | [Detailed Description]

Name : Zlob
Alias:W32/Zlob, Trojan-Downloader.Win32.Zlob, Zlob, Win32.Trojandownloader.Zlob
Type:Trojan-Downloader
Category:Malware
Platform:W32
Radar

Summary
Zlob is a Trojan. Zlob attempts to hiddenly download and run other files from remote web sites and shows fake error messages. Zlob copies itself to the Windows folder and changes startup and search pages of Internet Explorer.
Back to the Top

Disinfection

This utility deactivates the components of variants of the Zlob trojan which silently install spyware/adware/rogue anti-spyware. (Such as SpywareQuake, SpyFalcon, MalwareWipe and SpywareStrike.)
Download: http://www.f-secure.com/tools/f-spyaxe.zip

  1. Unzip f-spyaxe.zip to the desktop.
  2. Reboot the computer into safe mode by pressing "F8" at boot up.
    See Microsoft's page for detailed instructions.
  3. Double click f-spyaxe.reg and click yes to merge the information into the registry.
  4. Reboot the machine.

The tool was last updated on October 6th, 2006.
Back to the Top

Detailed Description
Zlob downloads and installs Spyware and Adware applications. Most of them are considered to be rogue anti-spyware:

  • MalwareWipe
  • SpyAxe
  • SpyFalcon
  • SpywareQuake
  • SpywareStrike
  • WinAntivirusPro


Some of the recent versions include a backdoor component which allow the attacker to manipulate the victim's PC. Zlob itself is installed on the system by tricking the user into downloading a fake codec or protection system, such as:

  • HQCodec
  • iCodecPack
  • IntCodec
  • iVideoCodec
  • JpegEncoder
  • KeyCodec
  • MedCodec
  • Media-Codec
  • MMCodec
  • MMedia Codec
  • PlayerCodec
  • PornPassManager
  • PowerCodec
  • SoftCodec
  • TrueCodec
  • UpToDateProtection
  • VCCodec
  • VidCodec
  • VidCodecs
  • VideosCodec
  • X Pass Generator
  • XXXCodec
  • ZipCodec

Note: Most of the names above are also .com domains as well, e.g. VidCodecs.com.


The installation process creates some of these files (depends on the variant).

  • %DESTDIR%\hpXXXX.tmp
  • %DESTDIR%\iesplugin.dll
  • %DESTDIR%\iesuninst.exe
  • %DESTDIR%\isaddon.dll
  • %DESTDIR%\isamini.exe
  • %DESTDIR%\isamonitor.exe
  • %DESTDIR%\isauninst.exe
  • %DESTDIR%\ishost.exe
  • %DESTDIR%\ismon.exe
  • %DESTDIR%\isnotify.exe
  • %DESTDIR%\issearch.exe
  • %DESTDIR%\ldXXXX.tmp
  • %DESTDIR%\mscornet.exe
  • %DESTDIR%\mssearchnet.exe
  • %DESTDIR%\nvctrl.exe
  • %DESTDIR%\pmmon.exe
  • %DESTDIR%\pmsngr.exe
  • %DESTDIR%\pmuninst.exe


Depending on the variant of Zlob, %DESTDIR% represents:

  • Windows\System32 folder
  • Folder located in the Program Files, named the same as the fake codec.
    For example: C:\Program Files\IntCodec\


Creates registry run keys and Class IDs in:

  • HKEY_CLASSES_ROOT\CLSID\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    \Browser Helper Objecta
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    \Browser Helper Objects
Back to the Top



F-Secure Corporation

Last Modified: November 06, 2006