This type of trojan secretly downloads malicious files from a remote server, then installs and executes the files.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
More scanning & removal options
More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.
You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.
Special Disinfection Tool
This utility deactivates the components of the Zlob trojan which silently install spyware/adware/rogue anti-spyware (such as SpywareQuake, SpyFalcon, MalwareWipe and SpywareStrike). Note:The tool was last updated on October 6th, 2006.
1. Unzip f-spyaxe.zip to the desktop. 2. Reboot the computer into safe mode by pressing "F8" at boot up (see Microsoft's page for detailed instructions). 3. Double click f-spyaxe.reg and click yes to merge the information into the registry. 4. Reboot the machine.
Trojan-Downloader:W32/Zlob is a large family of malicious programs that download and install Spyware and Adware applications such as:
Many of these applications may also be classified as Rogueware.
Some later Zlob variants include a backdoor component which allow the attacker to manipulate the victim's PC.
Zlob itself is installed on the system by tricking the user into downloading a fake codec or protection system, such as:
- MMedia Codec
- X Pass Generator
Note: Most of the names above are also .com domains as well, e.g. VidCodecs.com.
The installation process creates some of these files (depends on the variant).
Depending on the variant of Zlob, %DESTDIR% represents:
- Windows\System32 folder
- Folder located in the Program Files, named the same as the fake codec. For example: C:\Program Files\IntCodec\
During installation, the following registry keys and Class IDs are created:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objecta
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects