Troj/Zlob-ASM

Category: Viruses and Spyware Protection available since:29 May 2009 16:22:47 (GMT)
Type: Trojan Last Updated:29 May 2009 16:22:47 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/Zlob-ASM is a downloader Trojan for the Windows platform.

The following files are typically installed:

<System>\3407.exe
<Windows>\Tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job
<Windows>\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job
<Windows>\msa.exe
<Temp>\11595.exe
<Temp>\10605.exe
<Temp>\6475.exe
<Temp>\3407.exe
<Internet Cache>\Content.IE5\1O8GNIGZ\file[1].exe

Troj/Zlob-ASM installs the file <System>\msxml71.dll (replacing any existing file with this pathname) and registers it as a COM object and Browser Helper Object for Microsoft Internet Explorer, creating registry entries under:

HKCR\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}
HKCR\TypeLib\{B6AE55BF-4617-93EF-6EA4-4E52199CA591}
HKCR\XML.XML
HKCR\XML.XML.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500BCA15-57A7-4eaf-8143-8C619470B13D}

The following registry entry is created to run 11595.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Cognac
<Temp>\11595.exe

The file 3407.exe is registered as a new service named "ipfw", with a display name of "ipfw_helper". Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\ipfw

Registry entries are created under:

HKCU\Software\Cognac
HKCU\Software\ColdWare

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy