Zlob Trojan
   HOME

TheInfoList



OR:

The Zlob Trojan, identified by some antiviruses as Trojan.Zlob, is a
Trojan horse In Greek mythology, the Trojan Horse () was a wooden horse said to have been used by the Greeks during the Trojan War to enter the city of Troy and win the war. The Trojan Horse is not mentioned in Homer, Homer's ''Iliad'', with the poem ending ...
which masquerades as a required video
codec A codec is a computer hardware or software component that encodes or decodes a data stream or signal. ''Codec'' is a portmanteau of coder/decoder. In electronic communications, an endec is a device that acts as both an encoder and a decoder o ...
in the form of
ActiveX ActiveX is a deprecated software framework created by Microsoft that adapts its earlier Component Object Model (COM) and Object Linking and Embedding (OLE) technologies for content downloaded from a network, particularly from the World Wide W ...
. It was first detected in late 2005, but only started gaining attention in mid-2006. Once installed, it displays
popup ad Pop-up ads or pop-ups are forms of online advertising on the World Wide Web. A pop-up is a graphical user interface (GUI) display area, usually a small window, that suddenly appears ("pops up") in the foreground of the visual interface. The pop- ...
s which appear similar to real
Microsoft Windows Windows is a Product lining, product line of Proprietary software, proprietary graphical user interface, graphical operating systems developed and marketed by Microsoft. It is grouped into families and subfamilies that cater to particular sec ...
warning popups, informing the user that their computer is infected with
spyware Spyware (a portmanteau for spying software) is any malware that aims to gather information about a person or organization and send it to another entity in a way that harms the user by violating their privacy, endangering their device's securit ...
. Clicking these popups triggers the download of a fake anti-spyware program (such as Virus Heat and MS Antivirus (Antivirus 2009)) in which the Trojan horse is hidden. The Trojan has also been linked to downloading atnvrsinstall.exe which uses the Windows Security shield icon to look as if it is an anti-virus installation file from Microsoft. Having this file run can wreak havoc on computers and networks. One typical symptom is random computer shutdowns or reboots with random comments. This is caused by the programs using
Task Scheduler Task Scheduler (formerly Scheduled Tasks) is a job scheduler in Microsoft Windows that launches computer programs or scripts at pre-defined times or after specified time intervals. Microsoft introduced this component in the Microsoft Plus! for ...
to run a file called "zlberfker.exe." Project Honeypot Spam Domains List (PHSDL) tracks and catalogs
spam Spam most often refers to: * Spam (food), a consumer brand product of canned processed pork of the Hormel Foods Corporation * Spamming, unsolicited or undesired electronic messages ** Email spam, unsolicited, undesired, or illegal email messages ...
domains. Some of the domains on the list are redirects to porn sites and various video watching sites that show a number of online videos. Playing videos on these sites activates a request to download an
ActiveX ActiveX is a deprecated software framework created by Microsoft that adapts its earlier Component Object Model (COM) and Object Linking and Embedding (OLE) technologies for content downloaded from a network, particularly from the World Wide W ...
codec which is
malware Malware (a portmanteau of ''malicious software'')Tahir, R. (2018)A study on malware and malware detection techniques . ''International Journal of Education and Management Engineering'', ''8''(2), 20. is any software intentionally designed to caus ...
. It prevents the user from closing the browser in the usual manner. Other variants of Zlob Trojan installation come in the form of a
Java Java is one of the Greater Sunda Islands in Indonesia. It is bordered by the Indian Ocean to the south and the Java Sea (a part of Pacific Ocean) to the north. With a population of 156.9 million people (including Madura) in mid 2024, proje ...
cab file masquerading as a computer scan. There is evidence that the Zlob Trojan might be a tool of the
Russian Business Network The Russian Business Network (commonly abbreviated as RBN) is a multi-faceted cybercrime organization, specializing in and in some cases monopolizing personal identity theft for resale. It is the originator of the PHP-based malware kit MPack and ...
or at least of Russian origin.


RSPlug, DNSChanger, and other variants

The group that created Zlob has also created a Mac Trojan with similar behaviors (named RSPlug). Some variants of the Zlob family, like the so-called " DNSChanger", add rogue
DNS The Domain Name System (DNS) is a hierarchical and distributed name service that provides a naming system for computers, services, and other resources on the Internet or other Internet Protocol (IP) networks. It associates various informatio ...
name servers to the registry of Windows-based computers and attempt to hack into any detected router to change the DNS settings, potentially re-routing traffic from legitimate web sites to other suspicious web sites. DNSChanger in particular gained significant attention when the U.S.
FBI The Federal Bureau of Investigation (FBI) is the domestic Intelligence agency, intelligence and Security agency, security service of the United States and Federal law enforcement in the United States, its principal federal law enforcement ag ...
announced it had shut down the source of the malware in late November 2011. However, as there were millions of infected computers which would lose access to the Internet if the malware group's servers were shut down, the FBI opted to convert the servers into legitimate DNS servers. Due to cost concerns, however, these servers were set to shut down on the morning of 9 July 2012, which could cause thousands of still-infected computers to lose Internet access. This server shutdown did occur as planned, although the expected issues with infected computers did not materialize. By the date of the shutdown, there were many free of charge programs available that removed the Zlob malware effectively and without requiring great technical knowledge. The malware did however remain in the wild and as at 2015 could still be found on unprotected computers. The malware was also self-replicating, something the FBI did not fully understand, and the servers that were shut down may have only been one of the initial sources of the malware. Current antivirus programs are very effective at detecting and removing Zlob and its time in the wild appears to be coming to an end.


See also

* Search-daily Hijacker *
Trojan.Win32.DNSChanger ''Trojan.Win32.DNSChanger'' is a Backdoor (computing), backdoor Trojan horse (computing), trojan that redirects users to various malicious websites through the means of altering the Domain Name Server, DNS settings of a victim's computer. The malwa ...


References


External links


List of ActiveX Zlob Trojan fake codecs and other misleading Zlob-installersFlash's Security Blog, a blog listing fake codecs and rogue security software.S!Ri.URZ, SmitfraudFix.

Zlob/VideoAccess/Trojan.Win32.DNSChanger – malekal.com (fr)
Anti Zlob Malware Forums
SWI Forumdns-ok.gov.au
An Australian Government website, which has the diagnostic ability to determine if your computer is infected by DNSChanger. {{Hacking in the 2000s Adware Windows trojans Hacking in the 2000s