Zlob or the Zlob Trojan is a trojan that can infect users’ computers by pretending to be a fake video codec in the form of Active X but can also infect the host’s computer by rogue software. It was first detected in late 2005 but only started gaining attention in mid-2006. Once installed, it displays popup ads with an appearance similar to real Microsoft Windows warning popups, informing the user that their computer is infected with spyware. Clicking these popups triggers the download of a fake anti-spyware program(such as Virus Heat and MS Antivirus in which the trojan is hidden.

According to F-Secure, a computer security firm, they have discovered 32 variants of this trojan. Other variants continue to be discovered daily and are added to the detection signatures of various commercial anti-virus products. Some variants of the Zlob family, like the so-called DNSChanger, adds rogue DNS name servers to the Registry of Windows-based computers, network settings of Macintosh computers and attempts to hack into any detected router to change the DNS settings and therefore could potentially re-route traffic from legitimate web sites to other suspicious web sites.

How Does Zlob trojan Get On Your Computer?

There are many Trojan horse viruses out there, many of which are unknown, but unlike these nuisances, the Zlob virus can use a variety of ways to get onto your system. Besides the more common methods of infiltration, such as email spam, blog spam, and social network websites, the Zlob Trojan virus can imitate codec packs; which is a creative way of increasing its infection rate, as codecs are a basic requirement of all multimedia system. You’d be hard-pressed to find someone that doesn’t listen to music and watch movies on their computer system.

Most people are unsuspecting of malicious codec packs. That’s because this fake codec’s come with the required EULA which makes them appear legitimate, and the creators of the Zlob Trojan virus are aware of this, which explains why they’ve been able to perpetuate this malicious piece of code for so long.

The trojan has also been linked to downloading atnvrsinstall.exe which uses the Windows Security shield icon to look as if it is an Anti Virus installation file from Microsoft. Having this file initiated can wreak havoc on computers and networks. One symptom is random computer shutdowns or reboots with random comments. This is caused by the programs using Scheduled Tasks to run a file called “zlberfker.exe”.

PHSDL – Project Honeypot Spam Domains List tracks and catalogs Zlob spam Domains. Some of the domains on the list are redirects to porn sites and various video watching sites that show several inline videos. Clicking on the video to play activates a request to download an ActiveX codec which is malware. It prevents the user from closing the browser in the usual manner. Other variants of Zlob Trojan installation are in the form of a computer scan that comes as a Java cab.

Technical Description of Zlob Trojan

When the Trojan is executed, it creates the following files:

  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\[EIGHT RANDOM NUMBERS]
  • %SystemDrive%\Documents and Settings\All Users\Application Data\{145911ff-70c8-1}\BIT1C.tmp
  • %SystemDrive%\Documents and Settings\All Users\Application Data\{2182672b-20c8-0}\BIT1D.tmp

The Trojan creates a PowerShell script that runs once a day and is used to download additional files in the following location:

  • %SystemDrive%\WINDOWS\Tasks\[RANDOM CLSID].job

The Trojan creates the following registry entries:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”NameServer” : “199.203.131.151 82.163.143.181”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{121002E0-F353-48CD-926F-EDFFABEE08AF}\”NameServer” : “199.203.131.151.82.163.143.181”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{121002E0-F353-48CD-926F-EDFFABEE08AF}\”DhcpNameServer” : “199.203.131.151”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”DhcpNameServer” : “199.203.131.151”

The Trojan changes the DNS to one of the following IP addresses:

  • 199.203.131.145
  • 82.163.143.167
  • 199.203.131.150
  • 82.163.143.168
  • 82.163.143.169
  • 82.163.142.171
  • 82.163.143.172
  • 82.163.142.174
  • 199.203.131.151
  • 82.163.143.181
  • 199.203.131.152
  • 82.163.143.182
  • 82.163.142.3
  • 95.211.158.130

The Trojan may connect to and download potentially malicious files from the following domains:

  • likerut.info/u/
  • theget.biz/u/
  • bootfun.info/u/
  • sportnew.net/u/
  • ukjobmy.com/u/
  • moonas.info/u/
  • fasilmy.info/u/
  • paneljob.info/u/
  • usafun.info/u/
  • safesuns.info/u/
  • legco.info/u/
  • ough.info/u/
  • heato.info/u/
  • yelts.net/u/
  • deris.info/u/
  • big4u.org/u/
  • listcool.net/u/
  • listcool.info/u/
  • monoset.info/u/

The Trojan may steal the following information from the compromised computer:

  • Operating System type
  • Operating System major version
  • Operating System minor version
  • Operating System build
  • Service pack installed
  • Architecture type

How to Avoid Contracting It

What can you do to avoid mistakenly installing a fake codec? Well, you can take the time to read the Privacy Statements and EULAs before clicking on that install button. If you find it difficult to understand the EULA, then that’s a sign that you should back away. By installing the software without reading the EULA, you could be agreeing to several questionable quirks.

People need to be fully aware of the risks. In my opinion, I feel if people take the necessary precautions before clicking on a link or installing a program they can minimize the risks considerably.

Quick Tips for Zlob Prevention

  • Use up-to-date real-time protection. Real-time protection is key in keeping malware off of your system. Ad-Aware’s real-time protection, through Ad-Watch, Live! feature blocks malicious processes and infected programs that try to start or run on your PC.
  • Be leery of adult content videos. Zlob Trojans often masquerade as codecs needed to view pornographic videos. If you see a link for “free porn”, chances are it’s a sure way to get your PC infected.
  • Watch out for fake anti-spyware software. Never pay for a program that installed itself on your computer. This is a hallmark of rogue software.
  • Verify files before downloading. Never download software or a file without knowing exactly what it is. If you are unsure about a certain download, verify it by using an online virus scanner site or check with an expert at an online security forum, like Lavasoft’s Support Forums.