|
|
|  |
|
|
|
|
F-Secure Malware Information Pages: Zlob

|
|
|
| Radar |
 |
|
|
|
Summary
|
| Zlob is a Trojan. Zlob attempts to hiddenly download and run other files from remote web sites and shows fake error messages. Zlob copies itself to the Windows folder and changes startup and search pages of Internet Explorer. |
|
|
|
Disinfection
|
This utility deactivates the components of variants of the Zlob trojan which silently install spyware/adware/rogue anti-spyware. (Such as SpywareQuake, SpyFalcon, MalwareWipe and SpywareStrike.) Download: http://www.f-secure.com/tools/f-spyaxe.zip
- Unzip f-spyaxe.zip to the desktop.
- Reboot the computer into safe mode by pressing "F8" at boot up.
See Microsoft's page for detailed instructions. - Double click f-spyaxe.reg and click yes to merge the information into the registry.
- Reboot the machine.
The tool was last updated on October 6th, 2006. |
|
|
|
Detailed Description
|
Zlob downloads and installs Spyware and Adware applications. Most of them are considered to be rogue anti-spyware:
- MalwareWipe
- SpyAxe
- SpyFalcon
- SpywareQuake
- SpywareStrike
- WinAntivirusPro
Some of the recent versions include a backdoor component which allow the attacker to manipulate the victim's PC. Zlob itself is installed on the system by tricking the user into downloading a fake codec or protection system, such as:
- HQCodec
- iCodecPack
- IntCodec
- iVideoCodec
- JpegEncoder
- KeyCodec
- MedCodec
- Media-Codec
- MMCodec
- MMedia Codec
- PlayerCodec
- PornPassManager
- PowerCodec
- SoftCodec
- TrueCodec
- UpToDateProtection
- VCCodec
- VidCodec
- VidCodecs
- VideosCodec
- X Pass Generator
- XXXCodec
- ZipCodec
Note: Most of the names above are also .com domains as well, e.g. VidCodecs.com.
The installation process creates some of these files (depends on the variant).
- %DESTDIR%\hpXXXX.tmp
- %DESTDIR%\iesplugin.dll
- %DESTDIR%\iesuninst.exe
- %DESTDIR%\isaddon.dll
- %DESTDIR%\isamini.exe
- %DESTDIR%\isamonitor.exe
- %DESTDIR%\isauninst.exe
- %DESTDIR%\ishost.exe
- %DESTDIR%\ismon.exe
- %DESTDIR%\isnotify.exe
- %DESTDIR%\issearch.exe
- %DESTDIR%\ldXXXX.tmp
- %DESTDIR%\mscornet.exe
- %DESTDIR%\mssearchnet.exe
- %DESTDIR%\nvctrl.exe
- %DESTDIR%\pmmon.exe
- %DESTDIR%\pmsngr.exe
- %DESTDIR%\pmuninst.exe
Depending on the variant of Zlob, %DESTDIR% represents:
- Windows\System32 folder
- Folder located in the Program Files, named the same as the fake codec.
For example: C:\Program Files\IntCodec\
Creates registry run keys and Class IDs in:
- HKEY_CLASSES_ROOT\CLSID\
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
\Browser Helper Objecta - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
\Browser Helper Objects |
|
|
|
F-Secure Corporation |
|
|
|
|
|
Last Modified: November 06, 2006
|
|
|
|
|