TrojanDownloader:Win32/Zlob.II is a detection for a component of the greater Win32/Zlob malware family. Win32/Zlob refers to a large multi-component family of malware that modifies Internet Explorer's settings, alters and redirects the user's default Internet search page and home page, and attempts to download and execute arbitrary files (including additional malicious software).
The Win32/Zlob family has also been associated with rogue security programs that display misleading warnings non-existent malware installations or infections. Once installed, Win32/Zlob deceives users by displaying alerts and similar messages stating that the machine is infected by malware and spyware. It may then display links to purchase rogue Antispyware products.
Installation
When executed, TrojanDownloader:Win32/Zlob.II may try to connect to a remote Web server and download a rogue security program known as WinSpywareProtect from the following sites:
64.247.39.247
77.91.227.179
dl.winspywareprotects.com
After downloading rogue programs, Zlob may drop the following files:
%temp%\random name.exe
%temp%\media.php
%temp%\nsh3.tmp
%temp%\nsx4.tmp\blowfish.dll
%temp%\nsx4.tmp\System.dll
%temp%\nsa5.tmp.tmp.bat
%temp%\ac8zt2\pntqkflv.dll
%temp%\ac8zt2\gxvpsafm.dll
%temp%\ac8zt2\qegbdmwf.dll
%temp%\ac8zt2\gfetqaxsxqs.dll
%temp%\ac8zt2\ebxq.exe
%temp%\ac8zt2\tovafrnm.exe
%temp%\ac8zt2\install.bat
%windir%\gxvpsafm.dll
%windir%\pntqkflv.dll
%windir%\ebxq.exe
%windir%\tovafrnm.exe
%windir%\gfetqaxsxqs.dll
Next, registry data may be modified or created, such as the following:
Adds value: MigrateProxy
With Data: 0x01
To subkey: HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings
Adds value: ProxyEnable
With Data: 0x00
To subkey: HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings
Adds value: ProxyBypass
With Data: 0x01
To subkey: HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\ZoneMap\
Adds value: IntranetName
With Data: 0x01
To subkey: HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\ZoneMap
Adds value: UNCAsIntranet
With Data: 0x01
To subkey: HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\ZoneMap
Adds value: AutoDetect
With Data: 0x01
To subkey: HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\ZoneMap
Adds value: lid
With Data: -1
To subkey: HKCU\SOFTWARE\ADSL Software Ltd\WinSpywareProtect\lid
Adds value: pid
With Data: 226
To subkey: HKCU\SOFTWARE\ADSL Software Ltd\WinSpywareProtect\pid
Adds value: IsLoaded
With Data: 0x01
To subkey: HKCU\Software\ADSL Software Ltd\Installer
Adds value: Default
With Data: C:\Windows\qegbdmwf.dll
HKCR\CLSID\{A885DE23-A0C5-425F-80C3-0DFD668380C9}\InProcServer32
Adds value: qegbdmwf
With Data: {A885DE23-A0C5-425F-80C3-0DFD668380C9}
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
The registry may be modified to run WinSpywareProtect at each Windows start:
Adds value: InstallProgram
With Data: \%Local temp%\random malware name.exe
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Analysis by Tim Liu
