Threat behavior
TrojanDownloader:Win32/Zlob.gen!P is generic detection for a component of Trojan:Win32/Zlob. This Trojan family displays advertisements and receives updates from a remote Web site. In some cases, Trojan:Win32/Zlob displays false warnings of malware infections, designed to encourage users to download rogue security applications or additional malicious files.
Installation
This Trojan runs from where it was first executed, hence the file path to the Trojan executable may vary from machine to machine. It modifies the registry in order to ensure that it is executed at each Windows start:
Adds value: "rare"
With data: "<file path to Trojan executable>"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
Additional Information
This Trojan may be distributed as part of a package of malicious files. For example, this Trojan has been observed to de distributed in the archive "Online_Video_Add_on.zip". This archive contained the following malicious files:
icmntr.exe - detected as TrojanDownloader:Win32/Zlob.gen!O
icthis.exe - detected as TrojanDownloader:Win32/Zlob.gen!P
ictmdl.dll - detected as TrojanDownloader:Win32/Zlob.gen!Z
ictun.exe - detected as TrojanDownloader:Win32/Zlob.gen!H
isfmdl.dll - detected as TrojanDownloader:Win32/Zlob.gen!T
isfmm.exe - detected as TrojanDownloader:Win32/Zlob.gen!O
isfmntr.exe - detected as TrojanDownloader:Win32/Zlob.gen!O
Microsoft has received reports that this Trojan has been distributed in the wild from malicious websites masquerading as a video codec or password manager application.
Prevention
