1. Symantec/
  2. Security Response/
  3. Trojan.Zlob


Risk Level 1: Very Low

April 23, 2005
June 1, 2006 2:36:46 PM
Also Known As:
Zlob.VideoActiveXObject [Spybot-S&D], Trojan-Downloader-Zlob [Sunbelt Software]
Systems Affected:
Trojan.Zlob has been renamed from Trojan.Zhopa.

Trojan.Zlob is a Trojan that allows the remote attacker to perform various malicious actions on the compromised computer.

When Trojan.Zlob is executed, it copies itself as one of the following:
  • %System%\msmsgs.exe
  • %System%\ld100.tmp
  • %System%\regperf.exe

It may create the following registry entries so that the Trojan runs every time Windows starts:
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"MSN Messenger" = "%System%\msmsgs.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "Explorer.exe, msmsgs.exe"

The Trojan also adds the following registry entries:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\"wininet.dll" = "regperf.exe"
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\"notepad.exe" = "msmsgs.exe"

It also adds the following marker in the registry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\"uuid" = "86c29b2f-3389-418b-9b47-c2b09b6abc07"

The Trojan then injects itself into explorer.exe.

It attempts to make HTTP connections to the following hosts:
  • vnp7s.net
  • zxserv0.com
  • dumpserv.com

The Trojan uses different URLs that allow the Trojan to ping, report its status, and execute remote files.
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube