TrojanDownloader:Win32/Zlob.gen!BL is a generic detection for a trojan downloader member of the
Zlob family. It installs a BHO (Browser Helper Object) in the system. It may also modify the default browser search engine to redirect searches to a certain web site.
Installation
Upon execution, TrojanDownloader:Win32/Zlob.gen!BL creates the following files, both of which are detected as
TrojanDownloader:Win32/Zlob.gen!BZ, usually in the Windows Temp folder:
It then modifies the system registry to register its created DLL file as a BHO:
Adds value: "ddd"
With data: "ddd"
To subkey: HKLM\Software\Classes\CLSID\{D46BEAA4-A304-40B3-A9DA-EC7F7F501F25}
Adds value: "(default)"
With data: "<current folder>\iebt.dll"
To subkey: HKLM\Software\Classes\CLSID\{D46BEAA4-A304-40B3-A9DA-EC7F7F501F25}\InprocServer32
Adds value: "(default)"
With data: "0"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D46BEAA4-A304-40B3-A9DA-EC7F7F501F25}
Adds value: "DefaultScope"
With data: "{daed9266-8c28-4c1c-8b58-5c66eff1d302}"
To subkey: HKCU\Software\Microsoft\Internet Explorer\SearchScopes
Adds value: "DisplayName"
With data: "search"
To subkey: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}
Adds value: "MenuText"
With data: "ie anti-spyware"
To subkey: HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}
It also configures the registry so that its created EXE file is automatically run every time Windows starts:
Adds value: "start"
With data: "<current folder>\iebtmm.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
It also creates the following events:
- __ISA_INSURANCE__
- __ISA_UPDATE__
- __ISA_MONITOR_TERMINATE__
Payload
Redirects Internet Searches
TrojanDownloader:Win32/Zlob.gen!BL modifies system settings so that Internet searches are done using the web site whateversearch.net.
Analysis by Patrik Vicol
