Home / malwarePDF  

TrojanDownloader:Win32/Zlob.AFM


First posted on 16 March 2009.
Source: SecurityHome

Aliases :

TrojanDownloader:Win32/Zlob.AFM is also known as Also Known As:Win32/Zlob.EP (CA), Trojan.DL.BHO.NGO (VirusBuster), Trojan-Downloader.Win32.BHO.bvj (Kaspersky).

Explanation :

TrojanDownloader:Win32/Zlob.AFM is the detection for a BHO (Browser Helper Object) that may arrive in the system by being installed by a user. It may be installed by the user as it purports to be a "video codec"; the codec installer actually installs the BHO detected as this trojan.

Symptoms
System ChangesThe following system changes may indicate the presence of this malware:

  • The presence of the following files:
    <system folder>cmvideo.dll
  • The presence of the following registry keys:
    HKLMSOFTWAREClassesAppIDCMVideo.DLL
    HKLMSOFTWAREClassesCMVideo.CMVideoPlugin
    HKLMSOFTWAREClassesCMVideo.CMVideoPlugin.1
    HKLMSOFTWAREClassesCMVideo.XMLDOMDocumentEventsSink
    HKLMSOFTWAREClassesCMVideo.XMLDOMDocumentEventsSink.1
    HKLMSOFTWAREClassesCLSID{B87FA0EF-26D7-4B2A-B7EE-38C7271C4843}
    HKLMSOFTWAREClassesCLSID{0D23EE44-2319-4B6C-93D2-A572E0F5B0E0}
    HKLMSOFTWAREClassesTypeLib{AC4A66D0-BB91-45E5-BB00-E0F091F630B8}


    • TrojanDownloader:Win32/Zlob.AFM is the detection for a BHO (Browser Helper Object) that may arrive in the system by being installed by a user. It may be installed by the user as it purports to be a "video codec"; the codec installer actually installs the BHO detected as this trojan.

    Installation
    Upon execution of the installer, it drops the BHO in the system as '<system folder>cmvideo.dll'; this DLL file is detected as Win32/Zlob.AFM. Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:WinntSystem32; and for XP and Vista is C:WindowsSystem32. It then creates the following registry subkeys to register its dropped file as a BHO: HKLMSOFTWAREClassesAppIDCMVideo.DLL
    HKLMSOFTWAREClassesCMVideo.CMVideoPlugin
    HKLMSOFTWAREClassesCMVideo.CMVideoPlugin.1
    HKLMSOFTWAREClassesCMVideo.XMLDOMDocumentEventsSink
    HKLMSOFTWAREClassesCMVideo.XMLDOMDocumentEventsSink.1
    HKLMSOFTWAREClassesCLSID{B87FA0EF-26D7-4B2A-B7EE-38C7271C4843}
    HKLMSOFTWAREClassesCLSID{0D23EE44-2319-4B6C-93D2-A572E0F5B0E0}
    HKLMSOFTWAREClassesTypeLib{AC4A66D0-BB91-45E5-BB00-E0F091F630B8} It also creates the following subkey, in which it writes configuration data, as part of its installation routine:
    HKCUSoftwareCMVideoPlugin

    Payload
    Downloads Other FilesTrojanDownloader:Win32/Zlob.AFM queries the Web site 'rscserv.com' for advertisements to display. Examples of the advertisements it displays are as follows: Your computer is running slower than normal, maybe it is infected with Viruses, Adware or Spyware. Antivirus Plus will perform a quick and completely FREE scan of your system for malicious software. Download Antivirus Plus for FREE now! Here you can enjoy complete privacy; you don’t have to wait for doctor’s appointment, no prescription needed, FREE online consultation. Just order any time from home or your office. All of our medicines are available to you online 24/7. Clicking on the link in these advertisements may connect the user to the following Web sites:
  • security-check-center.com
  • pharmacy-911.com
    • Connecting to these sites may result in the download and installation of other files, which may be malware.

    Analysis by Marian Radu

    Last update 16 March 2009

     

    TOP

    Malware :

    Family: