Trojan.Zlob.K

Trojan.Zlob.K is a Trojan horse that may download and execute remote files and redirect the Internet Explorer home page and search page.

Once executed, the Trojan drops the following files:
%System%\ncompat.tlb
%System%\interf.tlb
%System%\hp[RANDOM CHARACTERS].tmp

The Trojan will then create the following registry entry, so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\"nvctrl.exe" = "nvctrl.exe"

The Trojan deletes all entries under the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objecta

The Trojan also creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{edbf1bc8-39ab-48eb-a0a9-c75078eb7c8e}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{edbf1bc8-39ab-48eb-a0a9-c75078eb7c8e}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objecta\{edbf1bc8-39ab-48eb-a0a9-c75078eb7c8e}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{edbf1bc8-39ab-48eb-a0a9-c75078eb7c8e}

It then adds an encryption key to the following folders which it may use to encrypt data associated with the Trojan itself or any data it gathers from the compromised computer:
%UserProfile%\Application Data\Microsoft\Crypto\RSA
%UserProfile%\Application Data\Microsoft\Protect

The Trojan then redirects the Internet Explorer home page to the following URL regardless of the registry settings:
www.securitysafeguards.net

The Trojan will redirect all Internet Explorer address bar searches and page not found errors to the following URLs, regardless of the registry settings:
www.securitysafeguards.net/search.php
www.dns404.com

The Trojan may also attempt to download and execute remote files.

Summary