Zlob trojan
Encyclopedia
The Zlob Trojan, identified by some antiviruses as Trojan.Zlob, is a trojan horse
which masquerades as a needed video codec
in the form of ActiveX
. It was first detected in late 2005, but only started gaining attention in mid-2006.
Once installed, it displays popup ads with appearance similar to real Microsoft Windows
warning popups, informing the user that their computer is infected with spyware
. Clicking these popups triggers the download of a fake anti-spyware program
(such as Virus Heat and MS Antivirus (Antivirus 2009)) in which the trojan horse is hidden.
The group that created Zlob have also created a Mac trojan with similar behaviours (named RSPlug
). Some variants of the Zlob family, like the so-called DNSChanger, add rogue DNS
name servers to the registry
of Windows-based computers and attempt to hack into any detected router to change the DNS settings and therefore could potentially re-route traffic from legitimate web sites to other suspicious web sites.
The trojan has also been linked to downloading atnvrsinstall.exe which uses the Windows Security shield icon to look as if it is an Anti Virus installation file from Microsoft. Having this file initiated can wreak havoc on computers and networks. One symptom is random computer shutdowns or reboots with random comments. This is caused by the programs using Scheduled Tasks to run a file called "zlberfker.exe".
PHSDL - Project Honeypot Spam Domains List tracks and catalogues Zlob spam
Domains. Some of the domains on the list are redirects to porn sites and various video watching sites that show a number of inline videos. Clicking on the video to play activates a request to download an ActiveX
codec which is malware
. It prevents the user from closing the browser in the usual manner. Other variants of Zlob Trojan installation are in the form of computer scan that comes as a Java cab file.
There is evidence that the Zlob trojan might be a tool of the Russian Business Network
or at least of Russian origin.
Anti Zlob Malware Forums
Trojan horse (computing)
A Trojan horse, or Trojan, is software that appears to perform a desirable function for the user prior to run or install, but steals information or harms the system. The term is derived from the Trojan Horse story in Greek mythology.-Malware:A destructive program that masquerades as a benign...
which masquerades as a needed video codec
Codec
A codec is a device or computer program capable of encoding or decoding a digital data stream or signal. The word codec is a portmanteau of "compressor-decompressor" or, more commonly, "coder-decoder"...
in the form of ActiveX
ActiveX
ActiveX is a framework for defining reusable software components in a programming language-independent way. Software applications can then be composed from one or more of these components in order to provide their functionality....
. It was first detected in late 2005, but only started gaining attention in mid-2006.
Once installed, it displays popup ads with appearance similar to real Microsoft Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
warning popups, informing the user that their computer is infected with spyware
Spyware
Spyware is a type of malware that can be installed on computers, and which collects small pieces of information about users without their knowledge. The presence of spyware is typically hidden from the user, and can be difficult to detect. Typically, spyware is secretly installed on the user's...
. Clicking these popups triggers the download of a fake anti-spyware program
Rogue software
Rogue security software is a form of computer malware that deceives or misleads users into paying for the fake or simulated removal of malware, or that installs other malware...
(such as Virus Heat and MS Antivirus (Antivirus 2009)) in which the trojan horse is hidden.
The group that created Zlob have also created a Mac trojan with similar behaviours (named RSPlug
RSPlug
RSPlug, also known as OSX/DNSChanger and OSX/Puper was a family of trojan malware targeting the Mac OS X operating system. The first incarnation of the trojan, OSX.RSPlug.A, was discovered on October 30, 2007 by Mac Security Vendor Intego....
). Some variants of the Zlob family, like the so-called DNSChanger, add rogue DNS
Domain name system
The Domain Name System is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities...
name servers to the registry
Windows registry
The Windows Registry is a hierarchical database that stores configuration settings and options on Microsoft Windows operating systems. It contains settings for low-level operating system components as well as the applications running on the platform: the kernel, device drivers, services, SAM, user...
of Windows-based computers and attempt to hack into any detected router to change the DNS settings and therefore could potentially re-route traffic from legitimate web sites to other suspicious web sites.
The trojan has also been linked to downloading atnvrsinstall.exe which uses the Windows Security shield icon to look as if it is an Anti Virus installation file from Microsoft. Having this file initiated can wreak havoc on computers and networks. One symptom is random computer shutdowns or reboots with random comments. This is caused by the programs using Scheduled Tasks to run a file called "zlberfker.exe".
PHSDL - Project Honeypot Spam Domains List tracks and catalogues Zlob spam
Spam (electronic)
Spam is the use of electronic messaging systems to send unsolicited bulk messages indiscriminately...
Domains. Some of the domains on the list are redirects to porn sites and various video watching sites that show a number of inline videos. Clicking on the video to play activates a request to download an ActiveX
ActiveX
ActiveX is a framework for defining reusable software components in a programming language-independent way. Software applications can then be composed from one or more of these components in order to provide their functionality....
codec which is malware
Malware
Malware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...
. It prevents the user from closing the browser in the usual manner. Other variants of Zlob Trojan installation are in the form of computer scan that comes as a Java cab file.
There is evidence that the Zlob trojan might be a tool of the Russian Business Network
Russian Business Network
The Russian Business Network is a multi-faceted cybercrime organization, specializing in and in some cases monopolizing personal identity theft for resale...
or at least of Russian origin.
External links
- Zlob trojan description and removal instructions
- List of ActiveX Zlob Trojan fake codecs and other misleading Zlob-installers
- Listing of 113 fake codec domains
- Flash's Security Blog, a blog listing fake codecs and rogue security software.
- S!Ri.URZ, SmitfraudFix.
- Zlob/VideoAccess/Trojan.Win32.DNSChanger - malekal.com (fr)
Anti Zlob Malware Forums