Troj/Zlob-AFC

Aliases	TROJ_ZLOB.DWF TR/DNSChanger.GH Trojan.Win32.DNSChanger.ph
Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Affected operating systems	Windows
Characteristics	Installs itself in the registry
Included in our products from	December 2007 (4.24)
Protection available since	12 October 2007 01:33:07 (GMT)
Detected by	All Sophos products

Action

Summary
Action
More Information

Please follow the instructions for removing Trojans.

More Information

Summary
Action
More Information

Troj/Zlob-AFC is a Trojan for the Windows platform.

Troj/Zlob-AFC contains functionality to access the internet and communicate with a remote server via HTTP.

When first run Troj/Zlob-AFC creates files under the following folders:

<Start Menu>\Programs\VideoHeaven
<Program Files>\VideoHeaven

Troj/Zlob-AFC creates the following registry entry to start itself:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
System
kdces.exe

and creates entries under the following registry trees:

HKCR\VideoHeaven\
HKCU\Software\VideoHeaven\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VideoHeaven\

The following registry entries are added or modified to override default DNS settings:

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer\
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\

Get reports about the latest virus and spyware threats delivered to your computer

In this section

Troj/Zlob-AFC

Summary

Action

More Information