1. /
  2. Security Response/
  3. Trojan.Zlob.N

Trojan.Zlob.N

Risk Level 1: Very Low

Discovered:
May 8, 2007
Updated:
May 8, 2007 4:56:19 PM
Type:
Trojan
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
When the Trojan is executed, it installs the following toolbar in Internet Explorer:
Protection Bar



The Trojan then creates the following files:
  • %CurrentFolder%\smmain.exe
  • %CurrentFolder%\smmon.exe
  • %CurrentFolder%\splug.dll
  • %CurrentFolder%\spunst.exe
  • %CurrentFolder%\smunst.exe
  • %CurrentFolder%\spunst.exe


It may also drop the following file:
%ProgramFiles%\Video ActiveX Access\iesmin.exe

Next, the Trojan creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\"rare" = "%CurrentFolder%\smmain.exe"

It also creates the following registry entry:
HKEY_CURRENT_USER\Software\Protection Tools\"65005" = "1"

The Trojan also creates the following registry subkeys:
HKEY_CLASSES_ROOT\CLSID\{F0993251-2512-4710-AF6E-0A13EA199D02}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{F0993251-2512-4710-AF6E-0A13EA199D02}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F0993251-2512-4710-AF6E-0A13EA199D02}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{F0993251-2512-4710-AF6E-0A13EA199D02}

The Trojan may periodically display the following windows:
Protection Center



Warning! Spyware threat!



Critical System Warning!



Title:
System Alert: Malware Threats
Message:
Your computer is infected with a back door Trojan that allows the remote attacker to perform various malicious actions. Click this baloon to download malware removal software.



Title:
System Alert: Trojan-Spy.Win32@mx



Title:
System Alert: Trojan-Spy.Win32@mx
Message:
Type: Spyware/Trojan
Vulnerable: Windows 95/98/ME/NT/2003/Windows XP
Description: Spyware program that sends confidential information to a remote attacker
Protection: Click this baloon to download official security software.

Title:
Security Alert: NetWorm-i.Virus@fp
Message:
Type: Virus/Network Worm
Damage Level: High
Description: Virus that infects executable files.
Recommendation: Delete/quarantine immediately.
Protection: Click this baloon to download certified Antivirus software.

Title:
System perfomance monitor: Warning
Message:
Summary:
System performance slowed down by: 47%
Internet connection speed decreased by: 39%
Probable reason: Spyware applications / Adware popup windows
Click this baloon to download spyware scan tool to remove spyware/adware applications.

Title:
Security Alert: Spyware found
Message:
Your computer is infected with last version of PSW.x-Vir trojan. PSW trojans steal your private information such as: passwords, IP-address, credit card information, registration details, documents, etc. Click this baloon to remove PSW.x-Vir spyware.

Title:
Critical System Warning!
Message:
Your system is probably infected with latest version of Spyware.CyberLog-X.
Type: Spyware
Infection Length: 266,129 bytes
Risk: High
Systems Affected: Windows 95, 98, 2000, NT, 2003 Server, Windows XP
Behavior: Spyware.CyberLog-X is a spyware program that monitors user activity, logs keystrokes, and tracks Web sites visited.
Symptoms: Low Internet connection speed Low system perfomance Security center alerts Strange pop up windows
Protection: Click OK to donwload antispyware software.

Title:
Internet Explorer Alert
Message:
Your computer is infected with adware or spyware that displays advertisements while you browse the Internet. Would you like to download additional software to remove malware threats and protect your system?

Title:
Security warning: New variant of SpyBot@MXt
Message:
You are unprotected from new version of SpyBot@MXt trojan. SpyBot@MXt is a trojan horse that steals information and gathers email addresses from the compromised computer. Click OK to download antivirus software and pass full system scan to delete/quarantine infected files.

Title:
Fatal Error!
Message:
Unhandled Exception: Invalid opertaion. The instruction at "0x66f7d450" referenced memory at "0x00000d0". If you were in the middle of something, the information you were working on might be lost. This fatal error probably occured because of a virus on your PC. Would you like to download latest version of antivirus software?

The Trojan will then connect to the following Web site and attempt to download other potentially malicious files:
lbgate.com

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.
Writeup By: Sean Kiernan
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver