1. /
  2. Security Response/
  3. Trojan.Zlob

Trojan.Zlob

Risk Level 1: Very Low

Discovered:
April 23, 2005
Updated:
June 1, 2006 2:36:46 PM
Also Known As:
Zlob.VideoActiveXObject [Spybot-S&D], Trojan-Downloader-Zlob [Sunbelt Software]
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
Trojan.Zlob has been renamed from Trojan.Zhopa.

Trojan.Zlob is a Trojan that allows the remote attacker to perform various malicious actions on the compromised computer.

When Trojan.Zlob is executed, it copies itself as one of the following:
  • %System%\msmsgs.exe
  • %System%\ld100.tmp
  • %System%\regperf.exe


It may create the following registry entries so that the Trojan runs every time Windows starts:
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"MSN Messenger" = "%System%\msmsgs.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "Explorer.exe, msmsgs.exe"


The Trojan also adds the following registry entries:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\"wininet.dll" = "regperf.exe"
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\"notepad.exe" = "msmsgs.exe"


It also adds the following marker in the registry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\"uuid" = "86c29b2f-3389-418b-9b47-c2b09b6abc07"

The Trojan then injects itself into explorer.exe.

It attempts to make HTTP connections to the following hosts:
  • vnp7s.net
  • zxserv0.com
  • dumpserv.com


The Trojan uses different URLs that allow the Trojan to ping, report its status, and execute remote files.
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver