TrojanDownloader:Win32/Zlob.gen!AQ is generic detection for a component of the greater Win32/Zlob malware family. Win32/Zlob refers to a large multi-component family of malware that modifies Internet Explorer's settings, alters and redirects the user's default Internet search page and home page, and attempts to download and execute arbitrary files (including additional malicious software). The Win32/Zlob family has also been associated with rogue security programs that display misleading warnings regarding bogus malware infections.
This variant of this large family drops an additional component onto the affected system, and displays false alerts and warnings regarding malware infections, with the intention of persuading the affected user to download a rogue security program.
Installation
When executed, TrojanDownloader:Win32/Zlob.gen!AQ drops the file "scm.exe" in the current directory. This file is detected as
TrojanDownloader:Win32/Zlob.gen!AT. It then modifies the following registry entry to run itself file at each system start:
Sets value: "some"
With data: "<trojan executable>"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
TrojanDownloader:Win32/Zlob.gen!AQ makes further modifications to the registry, including creating additional registry keys, for example:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
HKEY_CURRENT_USER\Software\NetProject
Payload
Displays False and Misleading Security Messages
This trojan may display false virus alerts as a trick to persuade users to purchase a rogue security product. Messages displayed are variable, but may include the following examples:
The instruction at "0x66f7d450" referenced memory at "0x00000d0".
If you were in the middle of something, the information you were working on might be lost.
This fatal error probably occured because of a virus on your PC.
-----
Fatal Error! Your system is unprotected from new version of SpyBot@MXt trojan.
SpyBot@MXt is a trojan horse that steals information and gathers email addresses from the compromised computer.
Click OK to download antivirus software and pass system scan to delete/quarantine infected files.
-----
Security warning: New variant of SpyBot@MXt
Your computer is infected with adware or spyware that displays advertisements while you browse the Internet.
-----
Internet Explorer Alert!
Your system is probably infected with latest version of Spyware.CyberLog-X.
Type: Spyware
Infection Length: 266,129 bytes
Risk: High
Systems Affected: Windows 95, 98, 2000, NT, 2003 Server,
Windows XP, Windows Vista
Behavior: Spyware.CyberLog-X is a spyware program that
monitors user activity, logs keystrokes, and tracks
Web sites visited.
Symptoms: Low Internet connection speed
Low system perfomance
Security center alerts
Strange pop up windows
Protection: Click OK to donwload antispyware software.
-----
Critical System Warning! Your computer is infected with last version of PSW.x-Vir trojan. PSW trojans steal your private information such as: passwords, IP-address, credit card information, registration details, documents, etc.
-----
Click this baloon to remove PSW.x-Vir spyware. Security Alert: Spyware found
Summary:
System performance slowed down by: 47%
Internet connection speed decreased by: 39%
Probable reason: Spyware applications/Adware popup windows
Click this baloon to download spyware scan tool to remove spyware/adware applications.
-----
System perfomance monitor: Warning
Type: Virus/Network Worm
Damage Level: High
Description: Virus that infects executable files.
Advice: Delete/quarantine immediately.
Protection: Click this baloon to download certified
Antivirus software.
-----
Security Alert: NetWorm-i.Virus@fp Your computer is infected with a back door Trojan that allows the remote attacker to perform various malicious actions.
Click this baloon to download malware removal software.
-----
System Alert: Malware threats
Type: Spyware/Trojan
Vulnerable: Windows 95/98/ME/NT/2003/
Windows XP/Windows Vista
Description: Spyware program that sends
confidential information to
a remote attacker
Protection: Click this baloon to download official security software.
Clicking on one of these alerts establishes a connection to www.gatecb.com.
Analysis by Andrei Florin Saygo