Troj/Zlobns-AA is an installer for files belonging to the Zlob family of Trojans.
Troj/Zlobns-AA is an installer for files belonging to the Zlob family of Trojans.
Troj/Zlobns-AA masquerades as as application named "VAX Codec".
When run Troj/Zlobns-AA creates the following files:
<Start Menu\Programs>\VAXCodec
<Start Menu\Programs>\VAXCodec\Uninstall.lnk
<Start Menu\Programs>\VAXCodec\VAX Codec Web Site.url
<Program Files>\VAXCodec
<Program Files>\VAXCodec\TRNSCoderV4.ocx
<Program Files>\VAXCodec\uninstall.exe
<System>\shlapimext.dll
The files TRNSCoderV4.ocx and shlapimext.dll are registered as COM objects, creating registry entries under:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{EEEAE130-AF08-44AA-886F-F764C4987F1C}
HKCR\TypeLib\{DF923391-CA5F-4C7F-AAE2-C83E17F08057}
HKCR\TypeLib\{67F508EC-A0C7-4E9F-8936-A3D0D7B345F3}
HKCR\Interface\{EAC7AB48-1443-421A-A80A-69AE89CC923F}
HKCR\Interface\{D8396421-B1E7-4994-AF27-FAC2EA045D24}
HKCR\Interface\{69B8A579-9873-4F1D-AE61-1063C752FB41}
HKCR\CLSID\{EEEAE130-AF08-44AA-886F-F764C4987F1C}
HKCR\CLSID\{B310DEB1-8DE8-4B34-9E2C-26A1BE935A76}
HKCR\CLSID\{002A911E-05FC-4F89-A490-CB981841AB25}
HKCR\shlapimext.ShlApiMExtObj
HKCR\shlapimext.ShlApiMExtObj.1
HKCR\CODEC.TRNSCoderV4Ctrl.1
HKCR\*\shellex\ContextMenuHandlers\ShlApiMExtObj
HKCR\BprintingHost.Serv\CLSID\{38ca2fcd-7d7e-11db-96a0-00e08161165f}
HKCR\Svshostt.<variable 4>\CLSID
HKCR\Svshost<number>.<variable 4>\CLSID
HKCR\<variable 8>.<variable 4>\CLSID
where <number> is a number (typically 1 or 2 digits) and <variable 4> and <variable 8> are random 4 and 8 character strings respectively, consisting of characters a-z and 0-9, for example:
HKCR\Svshost1.abcd\CLSID
HKCR\1234abcd.abcd\CLSID
Registry entries are created under:
HKLM\SOFTWARE\VAXCodec
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VAXCodec
An uninstall option is provided which can be accessed via the Add or Remove Programs dialog in the Windows Control Panel. The software is listed as "VAXCodec v4.0".