Threat behavior
TrojanDownloader:Win32/Zlob.gen!BI is a trojan that displays misleading messages in order to encourage affected users to download and install unwanted software.
Installation
When TrojanDownloader:Win32/Zlob.gen!BI is run, it may drop a file into the current folder as "wcm.exe". The registry is modified to run the dropped copy at each Windows start.
Adds value: some
With data: "<trojan folder>\wcm.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Payload
Displays Misleading Messages
TrojanDownloader:Win32/Zlob.gen!BI may display any of the following messages in an attempt to entice a user to click a download link to install unwanted software:
-
Fatal Error!
Unhandled Exception: Invalid opertaion.
The instruction at "0x66f7d450" referenced memory at "0x00000d0".
If you were in the middle of something, you might lose the information
you were working with.
This fatal error probably occured because of a virus on your PC.
Would you like to download latest version of antivirus software?
-
Fatal Error!
Your system is unprotected from new version of SpyBot@MXt trojan.
SpyBot@MXt is a trojan horse that steals information and gathers
email addresses from the compromised computer.
Click OK to download antivirus software and pass system scan to
delete/quarantine infected files.
-
Security warning: New variant of SpyBot@MXt
Your computer is infected with adware or spyware that displays
advertisements while you browse the Internet.
Would you like to download additional software to remove malware
threats and protect your computer?
-
Internet Explorer Alert!
Your system is probably infected with latest version of Spyware.CyberLog-X.
-
Critical System Warning!
Your computer is infected with last version of PSW.x-Vir trojan. PSW trojans steal your private information such as: passwords, IP-address, credit card information, registration details, documents, etc.
Click this baloon to remove PSW.x-Vir spyware.
-
Security Alert: Spyware found
Summary:
System performance slowed down by: 47%
Internet connection speed decreased by: 39%
Probable reason: Spyware applications/Adware popup windows
Click this baloon to download spyware scan tool to remove spyware/adware applications.
TrojanDownloader:Win32/Zlob.gen!BI may communicate with the site 'gatedv.com' to download other potentially malicious files.
Analysis by Vitaly Zaytsev
Prevention