Threat behavior
Trojan:Win32/Zlob.KM is detection for a component of the greater
Win32/Zlob malware family. This variant displays fake notices about being infected with various viruses and spyware and asks the victim if they wish to download a “current” version of antivirus software - which is actually rogue security software.
Win32/Zlob refers to a large multi-component family of malware that modifies Internet Explorer's settings, alters and redirects the user's default Internet search page and home page, and attempts to download and execute arbitrary files (including additional malicious software). The Win32/Zlob family has also been associated with rogue security programs that display misleading warnings regarding bogus malware infections.
Installation
Trojan:Win32/Zlob.KM is installed by other malicious software and commonly runs at Windows start via a registry value.
Payload
Displays False Alerts
Periodically Trojan:Win32/Zlob.KM displays false alerts containing text similar to the examples below:
Unhandled Exception: Invalid opertaion.
The instruction at "0x66f7d450" referenced memory at "0x00000d0".
If you were in the middle of something, you might lose the information you were working with. This fatal error probably occured because of a virus on your PC. Would you like to download latest version of antivirus software?
Your system is unprotected from new version of SpyBot@MXt malware.
SpyBot@MXt is a malware program that steals information and gathers email addresses from the compromised computer. Click OK to download antivirus software and pass system scan to delete/quarantine infected files.
Security warning: New variant of SpyBot@MXt
Your computer is infected with adware or spyware that displays advertisements while you browse the Internet. Would you like to download additional software to remove malware threats and protect your computer?
Internet Explorer Alert!
Your system is probably infected with latest version of Spyware.CyberLog-X. Spyware.CyberLog-X is a spyware program that monitors user activity, logs keystrokes, and tracks Web sites visited.
Critical System Warning! <hyperlink>
Your computer is infected with last version of PSW.x-Vir trojan. PSW trojans steal your private information such as: passwords, IP-address, credit card information, registration details, documents, etc. Click this baloon to remove PSW.x-Vir spyware.
Security Alert: Spyware found <hyperlink>
Summary: System performance slowed down by: 47% Internet connection speed decreased by: 39% Probable reason: Spyware applications/Adware popup windows Click this baloon to download spyware scan tool to remove spyware/adware applications.
Trojan:Win32/Zlob.KM displays the following "detected" threat names:
NetWorm-i.Virus@fp
Trojan-Spy.Win32@mx
SpyBot@MXt
Spyware.CyberLog-X
PSW.x-Vir Trojan
The above listed names do not map to actual threats identified by reputable security software.
Downloads Arbitrary Files
Trojan:Win32/Zlob.KM attempts to connect with the domains listed below in order to download additional malware:
Gateds.com
Getbackpage.com
Gatece.com
Filestoget.com
Asgates.com
Additional Information
For more information please see the
Win32/Zlob description elsewhere in our encyclopedia.
Analysis by Josh Phillips
Prevention
