1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Labs
  2. Threats
  3. Virus and threat descriptions
  4. Trojan-Downloader:W32/Zlob

Trojan-Downloader:W32/Zlob

Detection Names : Trojan-Downloader.Win32.Zlob,Win32.Trojandownloader.Zlob
Category:Malware
Type:Trojan-Downloader
Platform:W32

Summary

This type of trojan secretly downloads malicious files from a remote server, then installs and executes the files.

Disinfection

Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.

Additional Details

Trojan-Downloader:W32/Zlob is a large family of malicious programs that download and install Spyware and Adware applications such as:

  •  MalwareWipe
  • SpyAxe
  • SpyFalcon
  • SpywareQuake
  • SpywareStrike
  • WinAntivirusPro

Many of these applications may also be classified as Rogueware.

Some later Zlob variants include a backdoor component which allow the attacker to manipulate the victim's PC.


Installation

Zlob itself is installed on the system by tricking the user into downloading a fake codec or protection system, such as:

  •  HQCodec
  • iCodecPack
  • IntCodec
  • iVideoCodec
  • JpegEncoder
  • KeyCodec
  • MedCodec
  • Media-Codec
  • MMCodec
  • MMedia Codec
  • PlayerCodec
  • PornPassManager
  • PowerCodec
  • SoftCodec
  • TrueCodec
  • UpToDateProtection
  • VCCodec
  • VidCodec
  • VidCodecs
  • VideosCodec
  • X Pass Generator
  • XXXCodec
  • ZipCodec

Note: Most of the names above are also .com domains as well, e.g. VidCodecs.com. The installation process creates some of these files (depends on the variant)

.
  •  %DESTDIR%\hpXXXX.tmp
  • %DESTDIR%\iesplugin.dll
  • %DESTDIR%\iesuninst.exe
  • %DESTDIR%\isaddon.dll
  • %DESTDIR%\isamini.exe
  • %DESTDIR%\isamonitor.exe
  • %DESTDIR%\isauninst.exe
  • %DESTDIR%\ishost.exe
  • %DESTDIR%\ismon.exe
  • %DESTDIR%\isnotify.exe
  • %DESTDIR%\issearch.exe
  • %DESTDIR%\ldXXXX.tmp
  • %DESTDIR%\mscornet.exe
  • %DESTDIR%\mssearchnet.exe
  • %DESTDIR%\nvctrl.exe
  • %DESTDIR%\pmmon.exe
  • %DESTDIR%\pmsngr.exe
  • %DESTDIR%\pmuninst.exe

Depending on the variant of Zlob, %DESTDIR% represents:

  • Windows\System32 folder
  • Folder located in the Program Files, named the same as the fake codec.
       For example: C:\Program Files\IntCodec\

During installation, the following registry keys and Class IDs are created:

  •  HKEY_CLASSES_ROOT\CLSID\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objecta
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects