||||
Symantec.com > Security Response > Threats and Risks > Trojan.Zlob.H
PRINT THIS PAGE

Trojan.Zlob.H

Risk Level 1: Very Low

Printer Friendly Page

Discovered: January 6, 2006
Updated: January 6, 2006 10:03:19 AM
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows 2000

Trojan.Zlob.H is a Trojan horse that may download and execute remote files and redirect the Internet Explorer home page and search page.

Once executed, the Trojan drops the following files:
%System%\ncompat.tlb
%System%\msvol.tlb
%System%\hp[RANDOM CHARACTERS].tmp

The Trojan will then create the following registry entry, so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\"nvctrl.exe" = "nvctrl.exe"

The Trojan deletes all subkeys under the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objecta

The Trojan also creates the registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{27150F81-0877-42E9-AF13-55E5A3439A26}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{27150F81-0877-42E9-AF13-55E5A3439A26}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objecta\{27150F81-0877-42E9-AF13-55E5A3439A26}

The Trojan then creates the following registry subkey due to a bug:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curre\ntVersion\Explorer\Browser Helper Objects{27150F81-0877-42E9-AF13-55E5A3439A26}

The Trojan adds an encryption key to the following registry entries, which it may use to encrypt data associated with the Trojan itself or any data it gathers from the compromised computer:
%UserProfile%\Application Data\Microsoft\Crypto\RSA
%UserProfile%\Application Data\Microsoft\Protect

The Trojan then redirects the Internet Explorer home page to the following URL regardless of the registry settings:
www.securitycaution.com

The Trojan will redirect all Internet Explorer address bar searches and page not found errors to the following URLs regardless of the registry settings:
www.securitycaution.com/search.php
www.dns404.net

The Trojan may also attempt to download and execute remote files.
Search by name
Example: W32.Beagle.AG@mm
Limited Time Offers! Save up to 50%
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS