Troj/LowZone-V is a Trojan for the Windows platform that reduces the internet security settings and grants certain websites unrestricted access.
The Trojan reduces the security access levels of internet browser settings by creating the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinLevel
Code Download
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Security_RunActiveXControls
dword:01000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Security_RunScripts
dword:01000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Safety Warning Level
SucceedSilent
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains
Trusted
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains
Trusted
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Trust Warning Level
No Security
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
1004
dword:00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
1201
dword:00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
1C00
dword:00000300
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
CurrentLevel
dword:00010000
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
Flags
dword:0000009b
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
2001
dword:00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
2004
dword:00000000
The Trojan then silently creates the following registry entries so as to allow the following domains to be granted unrestricted access, allowing files to be downloaded from these remote websites and run on the infected computer:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains
blazefind.com
clickspring.net
flingstone.com
iframedollars.biz
mt-download.com
my-internet.info
searchbarcash.com
searchmiracle.com
skoobidoo.com
slotch.com
slotchbar.com
windupdates.com
xxxtoolbar.com
ysbweb.com
213.159.117.202
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1
*
dword:00000002
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1
*
dword:00000002
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1
:Range
213.159.117.202
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1
:Range
213.159.117.202
Troj/LowZone-V also quietly creates the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Trust Database\0
<random name>
CDT inc.
HKCU\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Trust Database\0
<random name>
MediaTickets
HKCU\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Trust Database\0
<random name>
Integrated Search Technologies