TrojanDownloader:Win32/Zlob.gen!CI is generic detection for a component of the greater
Win32/Zlob malware family. Win32/Zlob refers to a large multi-component family of malware that modifies Internet Explorer's settings, alters and redirects the user's default Internet search page and home page, and attempts to download and execute arbitrary files (including additional malicious software).
The
Win32/Zlob family has also been associated with rogue security programs that display misleading warnings regarding bogus malware infections.
Installation
TrojanDownloader:Win32/Zlob.gen!CI drops the following files, which are also detected as TrojanDownloader:Win32/Zlob.gen!CI, into the current folder:
- iebt.dll - DLL component, which is registered as a BHO (Browser Helper Object) for Internet Explorer
- iebtmm.exe - EXE component
It creates the following registry keys and entries as part of its installation routine for its dropped DLL file:
Creates key: HKLM\Software\Classes\CLSID\{BE1A344F-9FF5-4024-949B-52205E6DB2D0}
Adds value: "(default)"
With data: "<current folder>\iebt.dll"
To subkey: HKLM\Software\Classes\CLSID\{BE1A344F-9FF5-4024-949B-52205E6DB2D0}\InprocServer32
where <current folder> is the folder where this trojan drops its files.
Adds value: "(default)"
With data: "0"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BE1A344F-9FF5-4024-949B-52205E6DB2D0}
TrojanDownloader:Win32/Zlob.gen!CI also registers itself so that it automatically runs every time Windows starts:
Adds value: "start"
With data: "<current malware file>"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
where <current malware file> is the path and file name of the currently-running copy of this trojan. The file name may vary from sample to sample.
Payload
Adds Fake Search Provider
TrojanDownloader:Win32/Zlob.gen!CI adds a fake search engine provider in Internet Explorer by creating the following registry entry:
Adds value: "DisplayName"
With data: "Search"
Adds value: "URL"
With data: "http:// www.searchcheckup.com/index.php?b=1&t=0&q={searchTerms}"
To subkey: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}
Adds Item to Tools Menu in Internet Explorer
TrojanDownloader:Win32/Zlob.gen!CI also adds an item to the Tools menu in Internet Explorer by creating the following registry entry:
Adds value: "MenuText"
With data: "IE Anti-Spyware"
Adds value: "Exec"
With data: "http:// www.howtoiexplorer.com/redirect.php"
Adds value: "CLSID"
With data: "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"
To subkey: HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}]
The above links may install fake antivirus software in the system.
Analysis by Tim Liu