Discovered: April 23, 2005
Updated: June 1, 2006 2:36:46 PM
Also Known As: Zlob.VideoActiveXObject [Spybot-S&D], Trojan-Downloader-Zlob [Sunbelt Software]
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows 2000
Trojan.Zlob has been renamed from Trojan.Zhopa.
Trojan.Zlob is a Trojan that allows the remote attacker to perform various malicious actions on the compromised computer.
When Trojan.Zlob is executed, it copies itself as one of the following:
- %System%\msmsgs.exe
- %System%\ld100.tmp
- %System%\regperf.exe
It may create the following registry entries so that the Trojan runs every time Windows starts:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"MSN Messenger" = "%System%\msmsgs.exe"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "Explorer.exe, msmsgs.exe"
The Trojan also adds the following registry entries:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\"wininet.dll" = "regperf.exe"
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\"notepad.exe" = "msmsgs.exe"
It also adds the following marker in the registry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\"uuid" = "86c29b2f-3389-418b-9b47-c2b09b6abc07"
The Trojan then injects itself into explorer.exe.
It attempts to make HTTP connections to the following hosts:
- vnp7s.net
- zxserv0.com
- dumpserv.com
The Trojan uses different URLs that allow the Trojan to ping, report its status, and execute remote files.
Technorati
Digg
Delicious
Reddit
StumbleUpon
Yahoo Buzz
Twitter
Facebook
Newsvine
