Troj/Zlob-ABQ is a password-stealing Trojan.
Troj/Zlob-ABQ captures confidential information in the form of keystrokes, Windows text and clipboard text and then sends this data to a remote location via email.
In particular Troj/Zlob-ABQ attempts to capture login details for online banking websites from HTML pages that contain certain text strings, such as:
"e-gold", "PayPal", "bank", "passport", "money", "mail", "log", "sign", "secret", "forex", "hsbc", "woolwich", "lloyds", "barclay", "egg" or "password".
Troj/Zlob-ABQ can arrive as a result of web browsing. Certain web pages may exploit vulnerabilities associated with Microsoft Internet Explorer to silently download and install/run the Trojan without user interaction.
Troj/Zlob-ABQ includes functionality to:
- delete URL cache entries
- delete itself after a period of time
- steal confidential information
- download, install and run new software, including updates of its software
When Troj/Zlob-ABQ is installed it creates the file <System>\kdlfk.exe.
The file kdlfk.exe is detected as Troj/Zlob-ABL.
The following registry entry is changed to run kdlfk.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
System
kdlfk.exe