Home > Tech, Web > Trojan.Zlob.G – Trojan Horse

Trojan.Zlob.G – Trojan Horse

December 6th, 2008 Leave a comment Go to comments

Trojan-Zlob-G is a Trojan horse virus that may download & execute remote files & redirect the Internet Explorer home page and search.

  • Discovered: December 13, 2005
  • Type: Trojan Horse
  • Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Trojan.Zlob.G is executed, it performs the following actions:

  1. Drops the following files:
    • %System%\ncompat.tlb
    • %System%\msvol.tlb
    • %System%\hp[RANDOM CHARACTERS].tmp (detected as Trojan Horse)

      %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  2. Adds the value:  "nvctrl.exe" = "nvctrl.exe"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that it runs every time Windows starts.

  3. Deletes all subkeys under the following registry subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objecta

    which will disable any legitimate Browser Helper Objects.

  4. Creates the following registry subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1ca480cd-c0e5-4548-955e-b85b17905b3a}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
    \{1ca480cd-c0e5-4548-955e-b85b17905b3a}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objecta
    \{1ca480cd-c0e5-4548-955e-b85b17905b3a}

  5. Adds an encryption key to the following registry entries, which it may use to encrypt data associated with the Trojan itself or any data it gathers from the compromised computer:
    • %UserProfile%\Application Data\Microsoft\Crypto\RSA
    • %UserProfile%\Application Data\Microsoft\Protect

      %UserProfile% is a variable that refers to the current user’s profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).
  6. It then redirects the Internet Explorer home page to the following URL regardless of the registry settings: www.yoursystemupdate.com/[REMOVED]
  7. Redirects all Internet Explorer address bar searches and page not found errors to the following URLs regardless of the registry settings:
    • www.yoursystemupdate.com/[REMOVED]/search.php
    • www.dns404.net/[REMOVED]
  8. Attempts to download & execute remote files.
Categories: Tech, Web Tags: , ,
  1. No comments yet.
  1. No trackbacks yet.
GoCache - ByREV-Cache v1.0 - live served in : 0.144899 sec (gzip)