Threat behavior
TrojanDownloader:Win32/Zlob.gen!L is a generic detection of a component of the greater Win32/Zlob malware family. Win32/Zlob refers to a large multi-component family of malware that modifies Internet Explorer's settings, alters and redirects the user's default Internet search page and home page, and attempts to download and execute arbitrary files (including additional malicious software).
The TrojanDownloader:Win32/Zlob.gen!L detection is specific to a library component from a Win32/Zlob installation. The component is responsible for updating Win32/Zlob program files, and maintaining installed files on a computer in case they are removed by users.
Installation
Win32/Zlob is installed when a user executes an installer program, such as 'VideoAccessCodecInstall.exe' or similarly named file. The installer may masquerade to a user as a required video codec. The installer may be detected as TrojanDownloader:Win32/Zlob.gen!N.
When Win32/Zlob.gen!N runs, it drops a trojan downloader, such as 'bmxgdp.exe', onto the computer and runs it. The dropped downloader is identified as TrojanDownloader:Win32/Zlob.gen!W.
Win32/Zlob.gen.W accesses a remote Web site to retrieve files specified by a remote script file, and then removes itself.
Win32/Zlob.gen!W may download and install the following additional files:
- A Web Browser Helper Object (BHO) downloader, that may be named 'ntspknlg.dll' or similar. This BHO is detected as TrojanDownloader:Zlob.gen!M. Zlob.gen!M logs browser activity and keeps the log both in the Windows directory and in the registry under this registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VideoPlugin
This BHO may cause the Internet Explorer process to crash. Zlob.gen!M may also download other unwanted software. In our laboratory testing, it was observed to download an 'OnlineCasino' client program. - An updater and restoration component, named 'hstsys.dll' or similar. This DLL is detected as TrojanDownloader:Win32/Zlob.gen!L. It registers itself to load under the 'ShellServiceObjectDelayLoad' registry key, and restores all components in case they are deleted.
- 'hstsys.dll' - also detected as TrojanDownloader:Win32/Zlob.gen!L
- optnet.dll (detected as TrojanDownloader:Zlob.gen!AA). This component is an IE toolbar, and is responsible for displaying messages claiming that the system is infected. See below for examples of misleading 'infected' messages that may be displayed:
Additional Information
The Win32/Zlob family is associated with rogue security programs that display misleading warnings regarding non-existent malware installations or infections. Commonly, Win32/Zlob trojans disguise themselves as video or media codecs, presented as necessary components in order to view certain file types hosted on Web pages. Once installed, Win32/Zlob deceives users by displaying alerts, and similar messages that claim that the machine is infected by malware and spyware. It then displays links to purchase rogue Antispyware products.
This behavior is very aggressive; displaying lots of "security warnings" practically renders the affected host computer unusable.
Prevention