Threat behavior
TrojanDownloader:Win32/Zlob.gen!M is generic detection for a component of the greater Win32/Zlob family. Win32/Zlob refers a large multi-component family of malware that modifies Internet Explorer's settings, alters and redirects the user's default Internet search page and home page, and attempts to download and execute arbitrary files (including additional malicious software). The Win32/Zlob family has also been associated with rogue security programs that display misleading warnings regarding bogus malware infections.
Installation
If TrojanDownloader:Win32/Zlob.gen!M is run, it installs itself to folders on the local system. This is accomplished using a small Batch script program. Three dynamic link library (DLL) component files and one executable are copied to the Windows folder:
nsduo.dll
msmhost.dll
msmdev.dll
main_uninstaller.exe
The installer then uses REGSVR32.EXE to register the DLL nsduo.dll. Several registry keys are created to help establish Trojan components as Browser Helper Objects (BHO).
Additional Information
One source of this Trojan is a Web site named thenmnetwork.com. Components of this Trojan will connect with this site and retrieve updates using Background Intelligent Transfer Service (BITS) technology. The downloaded files are stored in the %Temp% folder, and may have files named BIT##.tmp, where ## is an incremented number.
Prevention