Threat behavior
TrojanDownloader:Win32/Zlob.gen!BM is a component of the greater
Win32/Zlob malware family that is used to download and execute arbitrary files.
Win32/Zlob refers to a large multi-component family of malware that modifies Internet Explorer's settings, alters and redirects the user's default Internet search page and home page, and attempts to download and execute arbitrary files (including additional malicious software). The Win32/Zlob family has also been associated with rogue security programs that display misleading warnings regarding bogus malware infections.
Installation
TrojanDownloader:Win32/Zlob.gen!BM may be downloaded and installed by other members of this large family, masquerading as a Video Codec kit.
It arrives in the system as a Nullsoft Installation (NSIS) package usually with the filename wmcodec_update.exe, which then drops the following file:
<system folder>\RichVideoCodec.dll - also detected as TrojanDownloader:Win32/Zlob.gen!BM
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
It usually arrives in the system with the following files:
- %Program Files%\RichVideoCodec\close.gif
- %Program Files%\RichVideoCodec\close_white.gif
- %Program Files%\RichVideoCodec\defend.gif
- %Program Files%\RichVideoCodec\License.txt
- %Program Files%\RichVideoCodec\Uninstall.exe
It then creates the following registry keys and entries to install its dropped DLL file as a BHO (Browser Helper Object):
- Subkey: HKCU\Software\RichVideoCodec
- Adds value: "@"
With data: "VideoCodec Class"
To subkey: HKLM\SOFTWARE\Classes\RichVideoCodec.VideoCodec
- Adds value: "@"
With data: "{926A61C9-5C20-4583-ACA7-ACE21088816E}"
To subkey: HKLM\SOFTWARE\Classes\RichVideoCodec.VideoCodec\CLSID
- Adds value: "AppID"
With data: "{A85A2972-D35F-4089-86AE-83DFEF054E23}"
To subkey: HKLM\SOFTWARE\Classes\AppID\RichVideoCodec.DLL
- Adds value: "@"
With data: "<system folder>\RichVideoCodec.dll"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{35DA02A8-1D27-43EB-8088-3210521AA154}\InprocServer32
- Adds value: "@"
With data: "<system folder>\RichVideoCodec.dll"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{4B2DBC9D-7D49-48F4-8DDC-1B15415FF253}\InprocServer32
- Adds value: "@"
With data: "<system folder>\RichVideoCodec.dll"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{926A61C9-5C20-4583-ACA7-ACE21088816E}\InprocServer32
- Adds value: "@"
With data: "<system folder>\RichVideoCodec.dll"
To subkey: HKLM\SOFTWARE\Classes\TypeLib\{0EF350A6-8AF0-40B5-ADE7-CB82FD02C3AE}\1.0\0\win32
- Adds value: "@"
With data: "VideoCodec Class"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{926A61C9-5C20-4583-ACA7-ACE21088816E}
- Adds value: "NoExplorer"
With data: "1"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{926A61C9-5C20-4583-ACA7-ACE21088816E}
Payload
Downloads and Executes Arbitrary Files
TrojanDownloader:Win32/Zlob.gen!BM may connect to the following domains to download and execute files on the affected machine:
- yourfavoritetube.com
- sexlookupworld.com
These files may include additional malware or Zlob components.
Analysis by Elda Dimakiling
Prevention