Troj/Zlobns-AA

Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Affected operating systems	Windows
Characteristics	Installs itself in the registry
Protection available since	22 December 2006 14:05:21 (GMT)
Last updated	11 January 2007 10:10:02 (GMT)
Detected by	All Sophos products

Sophos beta program
Register now for our latest beta tests

Endpoint Security and Control 9.0
Small business solutions 4.0

Action

Summary
Action
More Information

Please follow the instructions for removing Trojans.

More Information

Summary
Action
More Information

Troj/Zlobns-AA is an installer for files belonging to the Zlob family of Trojans. Troj/Zlobns-AA is an installer for files belonging to the Zlob family of Trojans.

Troj/Zlobns-AA masquerades as as application named "VAX Codec".

When run Troj/Zlobns-AA creates the following files:

<Start Menu\Programs>\VAXCodec
<Start Menu\Programs>\VAXCodec\Uninstall.lnk
<Start Menu\Programs>\VAXCodec\VAX Codec Web Site.url
<Program Files>\VAXCodec
<Program Files>\VAXCodec\TRNSCoderV4.ocx
<Program Files>\VAXCodec\uninstall.exe
<System>\shlapimext.dll

The files TRNSCoderV4.ocx and shlapimext.dll are registered as COM objects, creating registry entries under:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{EEEAE130-AF08-44AA-886F-F764C4987F1C}
HKCR\TypeLib\{DF923391-CA5F-4C7F-AAE2-C83E17F08057}
HKCR\TypeLib\{67F508EC-A0C7-4E9F-8936-A3D0D7B345F3}
HKCR\Interface\{EAC7AB48-1443-421A-A80A-69AE89CC923F}
HKCR\Interface\{D8396421-B1E7-4994-AF27-FAC2EA045D24}
HKCR\Interface\{69B8A579-9873-4F1D-AE61-1063C752FB41}
HKCR\CLSID\{EEEAE130-AF08-44AA-886F-F764C4987F1C}
HKCR\CLSID\{B310DEB1-8DE8-4B34-9E2C-26A1BE935A76}
HKCR\CLSID\{002A911E-05FC-4F89-A490-CB981841AB25}
HKCR\shlapimext.ShlApiMExtObj
HKCR\shlapimext.ShlApiMExtObj.1
HKCR\CODEC.TRNSCoderV4Ctrl.1
HKCR\*\shellex\ContextMenuHandlers\ShlApiMExtObj
HKCR\BprintingHost.Serv\CLSID\{38ca2fcd-7d7e-11db-96a0-00e08161165f}
HKCR\Svshostt.<variable 4>\CLSID
HKCR\Svshost<number>.<variable 4>\CLSID
HKCR\<variable 8>.<variable 4>\CLSID

where <number> is a number (typically 1 or 2 digits) and <variable 4> and <variable 8> are random 4 and 8 character strings respectively, consisting of characters a-z and 0-9, for example:

HKCR\Svshost1.abcd\CLSID
HKCR\1234abcd.abcd\CLSID

Registry entries are created under:

HKLM\SOFTWARE\VAXCodec
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VAXCodec

An uninstall option is provided which can be accessed via the Add or Remove Programs dialog in the Windows Control Panel. The software is listed as "VAXCodec v4.0".

Get reports about the latest virus and spyware threats delivered to your computer

In this section

Troj/Zlobns-AA

Summary

Action

More Information