Computer Security Wiki
Type Trojan horse
Affected platform/s Microsoft Windows
Smallwikipedialogo.png Most of this page uses content from Wikipedia. The original article was at Zlob trojan.
The list of authors can be seen in the page history. As with Computer Security Wiki, the text of Wikipedia is available under the GNU Free Documentation License.
Remove this template when most of the Wikipedia content has been removed or the Wikipedia information is outnumbered by non-Wikipedia information.

Zlob is a trojan horse which masquerades as a needed video codec in the form of ActiveX. Zlob allows a remote attacker to perform various malicious actions on the compromised computer. It was first detected in late 2005. However, it wasn't until mid-2006 that it started gaining attention. Once installed, it displays popup ads with appearance similar to real Microsoft Windows warning popups, informing the user that their computer is infected with spyware. Clicking these popups trigger the download of a fake anti-spyware program (such as Virus Heat) in which the trojan horse is hidden.

According to F-Secure, a computer security firm, they have discovered 32 variants of this trojan. Other variants continue to be discovered on a daily basis and are added to the detection signatures of various commercial anti-virus products. Some variants of the Zlob family, like the so-called DNSChanger, adds rogue DNS name servers to the Registry of Windows-based computers and network settings of Macintosh computers and therefore could potentially re-route traffic from legitimate web sites to other suspicious web sites.

The trojan has also been linked to downloading atnvrsinstall.exe which uses the Windows Security shield icon to look as if it is an Anti Virus installation file from Microsoft. Having this file initiated can wreak havoc on computers and networks. One symptom is random computer shutdowns or reboots with random comments. This is caused by the programs using Scheduled Tasks to run a file called "zlberfker.exe".

PHSDL - Project Honeypot Spam Domains List tracks and catalogues Zlob spam domains. Some of the domains on the list are redirects to porn sites and various video watching sites that show a number of inline videos. Clicking on the video to play activates a request to download an ActiveX codec which is malware. It prevents the user from closing the browser in the usual manner. Other variants of Zlob Trojan installation are in the form of computer scan that comes as a Java cab.

There is evidence that the Zlob trojan might of Russian origin.


External Links[]