TrojanDownloader:Win32/Zlob.gen!N is generic detection for a variant of a large Trojan family that modifies Internet Explorer's settings, alters and redirects the user's default Internet search page and home page, and attempts to download and execute arbitrary files (including additional malicious software). This Trojan attempts to retrieve a file named VideoAccessCodec.ocx from a remote Web site. This file is detected as TrojanDownloader:Win32/Zlob.gen!K.
Installation
When executed, the Trojan (in the form of a Nullsoft Installation (NSIS) package) creates the following files in the %Temp% directory:
-
imex.bat - a simple Batch script that starts the download process, by executing vpncore.exe
-
install.ico - an icon file
-
vpncore.exe - a downloader component, detected as "TrojanDownloader:Win32/Zlob.gen!W"
Next, the Trojan downloader displays what appears to be an "End User License Agreement" (EULA) for "Video Access Codec 1.4" (or similar):
Clicking the button "I Agree" initiates a download routine.
Payload
Downloads and Executes Arbitrary Files
This Trojan attempts to retrieve a file named VideoAccessCodec.ocx from a remote Web site, and save it to the folder %ProgramFiles\Video Access Codec. The Trojan downloader may also add an entry in "Add or Remove Programs" named "Video Access Codec v1.4".
The file retrieved is detected as TrojanDownloader:Win32/Zlob.gen!K.
Once downloaded, this component acts like a Web browser toolbar, and may perform the following actions:
-
Terminate any instances of Internet Explorer prior to installing itself
-
Create/manipulate registry keys
-
Connect to various related Web sites and download other files/components
-
Register other files
Additional Information
Microsoft has received reports that this Trojan downloader has been distributed in the wild masquerading as a video codec or password manager application. This Trojan downloader may masquerade as files named run.exe, crack.exe or VideoAccessCodecInstall.exe.
The "EULA" displayed contains information in section 5 that explains the functionality of the Trojan downloader:
5. Important Information Regarding Video Access Codec "Search Assistant" Video Access Codec Software. If the Video Access Codec Software consists of Video Access Codec Search Assistant (the “Search Assistant"), then the following terms and conditions apply to you:
5.1. Functionality. The Search Assistant Video Access Codec Software recognizes keywords from your Internet browser to display relevant advertisements. These advertisements may be displayed on your computer screen at any time while you are searching and shopping online (and not necessarily while you are using any product or service related to or downloaded with the Search Assistant Video Access Codec Software) and pop-up on your screen in a separate browse...
5.2. Display of Advertising. The Search Assistant Video Access Codec Software starts automatically when you start your computer, runs in the background on your computer and may periodically direct you to our sponsors' websites. By installing and/or using the Search Assistant Video Access Codec Software you grant permission for Video Access Codec to periodically display sponsors' websites to you...
