Troj/Zlob-I

Aliases	Trojan-Downloader.Win32.Zlob.i
Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary


Affected operating systems	Windows
Characteristics	Installs itself in the registry
Protection available since	3 May 2005 12:49:44 (GMT)
Detected by	All Sophos products

Sophos beta program
Register now for our latest beta tests

Troj/Zlob-I is a Trojan that attempts to download further malicious code. Troj/Zlob-I is a Trojan that attempts to download further malicious code.

The Trojan attempts to set itself to run on system startup by creating the following registry entry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
notepad.exe
msmsgs.exe

Troj/Zlob-I also adds MSMSGS.EXE to the following registry entry in order to run itself on system startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell

Troj/Zlob-I creates a registry entry at the following location:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
uuid

Troj/Zlob-I attempts to stealth itself by injecting itself into EXPLORER.EXE or by registering itself as a service process.

Troj/Zlob-I may store downloaded files in the LogFiles subfolder of the Windows system folder.

Get reports about the latest virus and spyware threats delivered to your computer