Threat behavior
TrojanDownloader:Win32/Zlob.gen!AD is generic detection for a component of the greater Win32/Zlob malware family. Win32/Zlob refers to a large multi-component family of malware that modifies Internet Explorer's settings, alters and redirects the user's default Internet search page and home page, and attempts to download and execute arbitrary files (including additional malicious software). The Win32/Zlob family has also been associated with rogue security programs that display misleading warnings regarding bogus malware infections.
This particular component is used to change the affected user's Internet Explorer Start page.
Installation
When this dll component is registered it makes the following registry modifications.
Note: As can be seen in the following examples, these modifications may slightly according to minor variant.
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{69B98C68-D2B8-4A4E-9CB7-E85B6F3A7014}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{69B98C68-D2B8-4A4E-9CB7-E85B6F3A7014}
or
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{21eca600-72b5-4e66-bb2e-573c92cbd8d6}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{21eca600-72b5-4e66-bb2e-573c92cbd8d6}
or
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{23b760d6-c98b-450b-9b32-26c7775cdf83}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{23b760d6-c98b-450b-9b32-26c7775cdf83}
Payload
Modifies Internet Explorer Settings
TrojanDownloader:Win32/Zlob.gen!AD redirects the affected user's Internet Explorer Start page to one of the following sites:
- http://homepagecell.com
- http://iesecurepages.com
- http://onlysecuretools.com
- http://asecurityassurance.com
When these web pages are opened, a fake alert is displayed, warning the user that their system is infected. The message may contain the following text:
"Warning! W32.Myzor.FK@yf is a virus that infects files with .exe extension. It attempts to steal password and private information from the infected computer"
Prevention