Threat description




This type of trojan secretly downloads malicious files from a remote server, then installs and executes the files.


Automatic action

Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

Trojan-Downloader:W32/Zlob is a large family of malicious programs that download and install Spyware and Adware applications such as:

  • MalwareWipe
  • SpyAxe
  • SpyFalcon
  • SpywareQuake
  • SpywareStrike
  • WinAntivirusPro

Many of these applications may also be classified as Rogueware.

Some later Zlob variants include a backdoor component which allow the attacker to manipulate the victim's PC.


Zlob itself is installed on the system by tricking the user into downloading a fake codec or protection system, such as:

  • HQCodec
  • iCodecPack
  • IntCodec
  • iVideoCodec
  • JpegEncoder
  • KeyCodec
  • MedCodec
  • Media-Codec
  • MMCodec
  • MMedia Codec
  • PlayerCodec
  • PornPassManager
  • PowerCodec
  • SoftCodec
  • TrueCodec
  • UpToDateProtection
  • VCCodec
  • VidCodec
  • VidCodecs
  • VideosCodec
  • X Pass Generator
  • XXXCodec
  • ZipCodec

Note: Most of the names above are also .com domains as well, e.g. The installation process creates some of these files (depends on the variant).

  • %DESTDIR%\hpXXXX.tmp
  • %DESTDIR%\iesplugin.dll
  • %DESTDIR%\iesuninst.exe
  • %DESTDIR%\isaddon.dll
  • %DESTDIR%\isamini.exe
  • %DESTDIR%\isamonitor.exe
  • %DESTDIR%\isauninst.exe
  • %DESTDIR%\ishost.exe
  • %DESTDIR%\ismon.exe
  • %DESTDIR%\isnotify.exe
  • %DESTDIR%\issearch.exe
  • %DESTDIR%\ldXXXX.tmp
  • %DESTDIR%\mscornet.exe
  • %DESTDIR%\mssearchnet.exe
  • %DESTDIR%\nvctrl.exe
  • %DESTDIR%\pmmon.exe
  • %DESTDIR%\pmsngr.exe
  • %DESTDIR%\pmuninst.exe

Depending on the variant of Zlob, %DESTDIR% represents:

  • Windows\System32 folder
  • Folder located in the Program Files, named the same as the fake codec. For example: C:\Program Files\IntCodec\

During installation, the following registry keys and Class IDs are created:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objecta
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

Description Created: 2010-06-03 11:28:21.0

Description Last Modified: 2011-11-15 17:00:00.0

Submit a Sample

Suspect a file or URL was wrongly detected? Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info