1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Trojan Zlob Activity 2

System Infected: Trojan Zlob Activity 2

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects activities of Trojan.Zlob which, if infected, could allow further remote actions on the compromised computer.

Additional Information

Trojan.Zlob is a back door Trojan that allows the remote attacker to perform various malicious actions on the compromised computer.

When Trojan.Zlob is executed, it performs the following actions:

1. Copies itself as one of the following files:

* %System%\msmsgs.exe
* %System%\ld100.tmp
* %System%\regperf.exe

Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

2. Adds the following value:

"Shell" = "Explorer.exe, msmsgs.exe"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

so that the Trojan runs every time Windows starts.

3. Creates the following value:

"MSN Messenger" = "%System%\msmsgs.exe"

to the registry subkey:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

so that the Trojan runs every time Windows starts.

4. Adds the following value:

"uuid" = "86c29b2f-3389-418b-9b47-c2b09b6abc07"

to the registry subkey:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion

5. Adds one of the following values:

"wininet.dll" = "regperf.exe"
"notepad.exe" = "msmsgs.exe"

to the registry key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

so that the Trojan runs when Windows starts or the user logs on.

6. Injects itself into the explorer.exe process.

7. Attempts to make HTTP connections to the following domains using different URLs, which allow the Trojan to ping, report it's status, and execute remote files:

* vnp7s.net
* zxserv0.com
* dumpserv.com

Affected

  • Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Response

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan and delete all the files detected asTrojan.Zlob.
4. Delete any values added to the registry.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube