high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Protection available since | 17 November 2005 04:05:20 (GMT) |
| Last updated | 25 January 2006 14:22:22 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Zlob-BC is a downloader Trojan.
Troj/Zlob-BC will contact predefined remote sites and download data. The Trojan may then download further executable files and run them.
Troj/Zlob-BC displays the following fake warning message:
Your computer is infected!
Windows has detected spyware infection.
It is recommended to use special antispyware tools to prevent data loss.
Windows will now download and install the most
up-to-date antispyware for you.
Click here to protect your computer from spyware.
Troj/Zlob-BC is a downloader Trojan.
Troj/Zlob-BC will contact predefined remote sites and download data. The Trojan may then download further executable files and run them.
Troj/Zlob-BC displays the following fake warning message:
Your computer is infected!
Windows has detected spyware infection.
It is recommended to use special antispyware tools to prevent data loss.
Windows will now download and install the most
up-to-date antispyware for you.
Click here to protect your computer from spyware.
Troj/Zlob-BC installs the following files in the Windows system folder:
mscornet.exe (detected as Troj/Zlob-BC)
mssearch.exe (detected as Troj/Zlob-BC)
nvctrl.exe (detected as Troj/Zlob-BC)
ld????.tmp (detected as Troj/Zlob-BC)
ncompat.tlb (may be safely deleted)
msvol.tlb (may be safely deleted)
hp????.tmp (may be safely deleted)
where ???? are strings of randomly generated characters.
In order to run automatically each time Explorer initialises, Troj/Zlob-BC will set the following registry entries:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
wininet.dll
mscornet.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
kernel32.dll
<System>\mssearch.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
nvctrl.exe
nvctrl.exe
In order to run automatically each time a user logs in, Troj/Zlob-BC will add mscornet.exe to the following registry entry:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Troj/Zlob-BC will attempt to hide its activity by injecting code into EXPLORER.EXE.
Registry entries are also be created under:
HKCR\CLSID\(E9CCF15D-4C68-4B5A-9E9A-8E12E4BD39BD)
|
