Threat Description

Trojan-​Downloader​:W32/Zlob

Details

Aliases: Trojan-Downloader:W32/Zlob, Win32.Trojandownloader.Zlob, Trojan-Downloader.Win32.Zlob
Category: Malware
Type: Trojan-Downloader
Platform: W32

Summary


This type of trojan secretly downloads malicious files from a remote server, then installs and executes the files.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.

Special Disinfection Tool

This utility deactivates the components of the Zlob trojan which silently install spyware/adware/rogue anti-spyware (such as SpywareQuake, SpyFalcon, MalwareWipe and SpywareStrike). Note:The tool was last updated on October 6th, 2006.

Instructions

1. Unzip f-spyaxe.zip to the desktop. 2. Reboot the computer into safe mode by pressing "F8" at boot up (see Microsoft's page for detailed instructions). 3. Double click f-spyaxe.reg and click yes to merge the information into the registry. 4. Reboot the machine.



Technical Details


Trojan-Downloader:W32/Zlob is a large family of malicious programs that download and install Spyware and Adware applications such as:

  • MalwareWipe
  • SpyAxe
  • SpyFalcon
  • SpywareQuake
  • SpywareStrike
  • WinAntivirusPro

Many of these applications may also be classified as Rogueware.

Some later Zlob variants include a backdoor component which allow the attacker to manipulate the victim's PC.

Installation

Zlob itself is installed on the system by tricking the user into downloading a fake codec or protection system, such as:

  • HQCodec
  • iCodecPack
  • IntCodec
  • iVideoCodec
  • JpegEncoder
  • KeyCodec
  • MedCodec
  • Media-Codec
  • MMCodec
  • MMedia Codec
  • PlayerCodec
  • PornPassManager
  • PowerCodec
  • SoftCodec
  • TrueCodec
  • UpToDateProtection
  • VCCodec
  • VidCodec
  • VidCodecs
  • VideosCodec
  • X Pass Generator
  • XXXCodec
  • ZipCodec

Note: Most of the names above are also .com domains as well, e.g. VidCodecs.com.

The installation process creates some of these files (depends on the variant).

  • %DESTDIR%\hpXXXX.tmp
  • %DESTDIR%\iesplugin.dll
  • %DESTDIR%\iesuninst.exe
  • %DESTDIR%\isaddon.dll
  • %DESTDIR%\isamini.exe
  • %DESTDIR%\isamonitor.exe
  • %DESTDIR%\isauninst.exe
  • %DESTDIR%\ishost.exe
  • %DESTDIR%\ismon.exe
  • %DESTDIR%\isnotify.exe
  • %DESTDIR%\issearch.exe
  • %DESTDIR%\ldXXXX.tmp
  • %DESTDIR%\mscornet.exe
  • %DESTDIR%\mssearchnet.exe
  • %DESTDIR%\nvctrl.exe
  • %DESTDIR%\pmmon.exe
  • %DESTDIR%\pmsngr.exe
  • %DESTDIR%\pmuninst.exe

Depending on the variant of Zlob, %DESTDIR% represents:

  • Windows\System32 folder
  • Folder located in the Program Files, named the same as the fake codec. For example: C:\Program Files\IntCodec\

During installation, the following registry keys and Class IDs are created:

  • HKEY_CLASSES_ROOT\CLSID\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objecta
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects





SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More