Threat behavior
TrojanDownloader:Win32/Zlob.gen!AX is generic detection for a component of the greater Win32/Zlob malware family. Win32/Zlob refers to a large multi-component family of malware that modifies Internet Explorer's settings, alters and redirects the user's default Internet search page and home page, and attempts to download and execute arbitrary files (including additional malicious software). The Win32/Zlob family has also been associated with rogue security programs that display misleading warnings regarding bogus malware infections.
Installation
This threat may be installed by other malicious software. After installation, the following registry subkeys may be created, allowing Win32/Zlob.gen!AX to run as a web Browser Helper Object (BHO):
HKEY_CLASSES_ROOT\CLSID\{DB9FBA9D-AB1B-4CC6-9745-F3B549D64E40}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DB9FBA9D-AB1B-4CC6-9745-F3B549D64E40}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{DB9FBA9D-AB1B-4CC6-9745-F3B549D64E40}
Payload
Downloads Rogue Security Programs
Win32/Zlob.gen!AX may attempt to contact the site 'mspctoolbar.com' using HTTP TCP port 80. This site may redirect requests to other sites that distribute rogue security applications.
Analysis by Andrei Florin Saygo
Prevention
