Zlob trojan Information & Zlob trojan Links at HealthHaven.com

The Zlob Trojan, also known as Trojan.Zlob, is a trojan horse which masquerades as a needed video codec in the form of ActiveX. It was first detected in late 2005, but only started gaining attention in mid-2006.^[1] Once installed, it displays popup ads with appearance similar to real Microsoft Windows warning popups, informing the user that their computer is infected with spyware. Clicking these popups triggers the download of a fake anti-spyware program (such as Virus Heat and MS Antivirus (Antivirus 2009)) in which the trojan horse is hidden.^[1]

The group that created Zlob have also created a Mac trojan with similar behaviours (named RSPlug).^[2] Some variants of the Zlob family, like the so-called DNSChanger, add rogue DNS name servers to the Registry of Windows-based computers^[3] and attempt to hack into any detected router to change the DNS settings and therefore could potentially re-route traffic from legitimate web sites to other suspicious web sites.

The trojan has also been linked to downloading atnvrsinstall.exe which uses the Windows Security shield icon to look as if it is an Anti Virus installation file from Microsoft. Having this file initiated can wreak havoc on computers and networks. One symptom is random computer shutdowns or reboots with random comments. This is caused by the programs using Scheduled Tasks to run a file called "zlberfker.exe".

PHSDL - Project Honeypot Spam Domains List^[4] tracks and catalogues Zlob spam Domains. Some of the domains on the list are redirects to porn sites and various video watching sites that show a number of inline videos. Clicking on the video to play activates a request to download an ActiveX codec which is malware. It prevents the user from closing the browser in the usual manner. Other variants of Zlob Trojan installation are in the form of computer scan that comes as a Java cab.^[5]

There is evidence that the Zlob trojan might be a tool of the Russian Business Network^[6] or at least of Russian origin.^[7]

[edit] References

^ ^a ^b "The ZLOB Show: Trojan Poses as Fake Video Codec, Loads More Threats". Trend Micro. http://www.trendmicro.com/vinfo/secadvisories/default6.asp?VNAME=The+ZLOB+Show%3A+Trojan+poses+as+fake+video+codec%2C+loads+more+threats. Retrieved 2007-11-26.
^ Tung, Liam (2007-11-08). "Multiplying Mac Trojan not epidemic yet". CNET News. http://www.news.com/Multiplying-Mac-Trojan-not-epidemic-yet/2100-7349_3-6217540.html. Retrieved 2007-11-26.
^ Podrezov, Alexey (2005-11-07). "F-Secure Virus Descriptions: DNSChanger". F-Secure Corporation. http://www.f-secure.com/v-descs/dnschang.shtml. Retrieved 2007-11-26.
^ PHSDL - Project Honeypot Spam Domains List
^ PHSDL Zlob Trojan Forum Spam Hijacking Attempt Documentation
^ http://rbnexploit.blogspot.com/2007/11/rbn-fake-codecs.html
^ http://t-c-p.narod.ru/gr0031.htm

[edit] External links

Anti Zlob Malware Forums

[tm-0] "The ZLOB Show: Trojan Poses as Fake Video Codec, Loads More Threats". Trend Micro. http://www.trendmicro.com/vinfo/secadvisories/default6.asp?VNAME=The+ZLOB+Show%3A+Trojan+poses+as+fake+video+codec%2C+loads+more+threats. Retrieved 2007-11-26.

[MacTrojan-1] Tung, Liam (2007-11-08). "Multiplying Mac Trojan not epidemic yet". CNET News. http://www.news.com/Multiplying-Mac-Trojan-not-epidemic-yet/2100-7349_3-6217540.html. Retrieved 2007-11-26.

[2] Podrezov, Alexey (2005-11-07). "F-Secure Virus Descriptions: DNSChanger". F-Secure Corporation. http://www.f-secure.com/v-descs/dnschang.shtml. Retrieved 2007-11-26.

[3] PHSDL - Project Honeypot Spam Domains List

[4] PHSDL Zlob Trojan Forum Spam Hijacking Attempt Documentation

[5] ttp://rbnexploit.blogspot.com/2007/11/rbn-fake-codecs.html

[6] ttp://t-c-p.narod.ru/gr0031.htm

[1]

[2]

[3]

[4]

[5]

[6]

[7]