Skip to main content

Choose your country

Trojan-Downloader:W32/Zlob

Classification

Category:

Malware

Platform:

W32

Type:

Trojan-downloader

Aliases:

  • Trojan-Downloader:W32/Zlob
  • Win32.Trojandownloader.Zlob
  • Trojan-Downloader.Win32.Zlob

Summary

This type of trojan secretly downloads malicious files from a remote server, then installs and executes the files.

Removal

Technical Details

Trojan-Downloader:W32/Zlob is a large family of malicious programs that download and install Spyware and Adware applications such as:

  • MalwareWipe
  • SpyAxe
  • SpyFalcon
  • SpywareQuake
  • SpywareStrike
  • WinAntivirusPro

Many of these applications may also be classified as Rogueware.

Some later Zlob variants include a backdoor component which allow the attacker to manipulate the victim's PC.

Installation

Zlob itself is installed on the system by tricking the user into downloading a fake codec or protection system, such as:

  • HQCodec
  • iCodecPack
  • IntCodec
  • iVideoCodec
  • JpegEncoder
  • KeyCodec
  • MedCodec
  • Media-Codec
  • MMCodec
  • MMedia Codec
  • PlayerCodec
  • PornPassManager
  • PowerCodec
  • SoftCodec
  • TrueCodec
  • UpToDateProtection
  • VCCodec
  • VidCodec
  • VidCodecs
  • VideosCodec
  • X Pass Generator
  • XXXCodec
  • ZipCodec

Note: Most of the names above are also .com domains as well, e.g. VidCodecs.com.

The installation process creates some of these files (depends on the variant).

  • %DESTDIR%\hpXXXX.tmp
  • %DESTDIR%\iesplugin.dll
  • %DESTDIR%\iesuninst.exe
  • %DESTDIR%\isaddon.dll
  • %DESTDIR%\isamini.exe
  • %DESTDIR%\isamonitor.exe
  • %DESTDIR%\isauninst.exe
  • %DESTDIR%\ishost.exe
  • %DESTDIR%\ismon.exe
  • %DESTDIR%\isnotify.exe
  • %DESTDIR%\issearch.exe
  • %DESTDIR%\ldXXXX.tmp
  • %DESTDIR%\mscornet.exe
  • %DESTDIR%\mssearchnet.exe
  • %DESTDIR%\nvctrl.exe
  • %DESTDIR%\pmmon.exe
  • %DESTDIR%\pmsngr.exe
  • %DESTDIR%\pmuninst.exe

Based on the variant of Zlob, %DESTDIR% represents:

  • Windows\System32 folder
  • Folder located in the Program Files, named the same as the fake codec. For example: C:\Program Files\IntCodec\

During installation, the following registry keys and Class IDs are created:

  • HKEY_CLASSES_ROOT\CLSID\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objecta
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

Protect your devices from malware with F‑Secure Total

Protecting your devices from malicious software is essential for maintaining online security. F‑Secure Total makes this easy, helping you to secure your devices in a brilliantly simple way.

  • Award‑winning antivirus and malware protection

  • Online browsing, banking, and shopping protection

  • 24/7 online identity and data breach monitoring

  • Unlimited VPN service to safe­guard your privacy

  • Password manager with private data protection

Choose how many devices you want to protect to get started.

  • Free customer support

  • Cancel anytime

  • The trial does not obligate you to buy the product

Try Total 30 days for free

After 30 days your subscription will renew automatically for one year at €69.99.

More Support

Community

Ask questions in our Community.

User guides

Check the user guide for instructions.

Contact Support

Chat with with or call an agent.

Submit a Sample

Submit a file or URL for analysis.