Sophos

Troj/Zlobns-J

Category
Type
What to do
Prevalence low high

Summary

 
Affected operating systems Windows
Characteristics
  • Drops more malware
Protection available since 13 September 2006 09:26:39 (GMT)
Last updated 6 November 2006 05:49:25 (GMT)
Detected by All Sophos products
Download Free virus scan
Download the Threat Detection Test
  • Free virus, spyware, and adware scan
  • Test your existing anti-virus protection
  • Find threats your anti-virus missed

Action

More Information

Troj/Zlobns-J is an installer for files belonging to the Zlob family of Trojans, including files detected as: Troj/Zlobmi-Gen, Troj/Zlobla-Gen, Troj/Zlobun-Gen and Troj/Zlobie-Gen.

Troj/Zlobns-J claims to be an application named iCODECPACK which can be used to compress/decompress music and multimedia files whilst improving sound quality.

When run Troj/Zlobns-J creates the following files:

<Desktop>\Online Security Guide.url
<Desktop>\Security Troubleshooting.url
<User>\Start Menu\Online Security Guide.url
<User>\Start Menu\Security Troubleshooting.url
<Favorites>\Online Security Test.url
<Program Files>\iCodecPack
<Program Files>\iCodecPack\iesplugin.dll
<Program Files>\iCodecPack\iesuninst.exe
<Program Files>\iCodecPack\isaddon.dll
<Program Files>\iCodecPack\isamini.exe
<Program Files>\iCodecPack\isamonitor.exe
<Program Files>\iCodecPack\isauninst.exe
<Program Files>\iCodecPack\ot.ico
<Program Files>\iCodecPack\pmmon.exe
<Program Files>\iCodecPack\pmsngr.exe
<Program Files>\iCodecPack\pmuninst.exe
<Program Files>\iCodecPack\ts.ico
<Program Files>\iCodecPack\uninst.exe
<System>\oqabf.dll

The following registry entries are created to run isamonitor.exe and pmsngr.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
homepage.monitor.exe
<Program Files>\iCodecPack\isamonitor.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
pmsngr.exe
<Program Files>\iCodecPack\pmsngr.exe

Note: isamonitor.exe and pmsngr.exe run continuously in the background alongside isamini.exe and pmmon.exe and these processes attempt to prevent each other from being terminated.

The files iesplugin.dll, isaddon.dll and oqabf.dll are registered as COM objects, creating registry entries under:

HKCR\CLSID\{4d993022-0899-4599-b4b6-0f887d0802e6}
HKCR\CLSID\{479fd0cf-5be9-4c63-8cda-b6d371c67bd5}
HKCR\CLSID\{202a961f-23ae-42b1-9505-ffe3c818d717}

The following registry entries are created to run code exported by oqabf.dll on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
considerateness
{4d993022-0899-4599-b4b6-0f887d0802e6}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
{4d993022-0899-4599-b4b6-0f887d0802e6}
considerateness

The file iesplugin.dll is registered as a toolbar, creating registry entries under:

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{479FD0CF-5BE9-4C63-8CDA-B6D371C67BD5}
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{479fd0cf-5be9-4c63-8cda-b6d371c67bd5}

The file isaddon.dll is registered as a Browser Helper Object (BHO) for Microsoft Internet Explorer, creating registry entries under:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{202a961f-23ae-42b1-9505-ffe3c818d717}

Values are set under the following registry entries, affecting internet security:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range9
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range8
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range7
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range6
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range5
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range4
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range3
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range2
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range15
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range14
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range13
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range12
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range11
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range10
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range0
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\zcodec.com
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\gromozon.com
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\zcodec.com
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\gromozon.com
HKCU\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range9
HKCU\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range8
HKCU\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range7
HKCU\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range6
HKCU\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range5
HKCU\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range4
HKCU\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range3
HKCU\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range2
HKCU\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range15
HKCU\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range14
HKCU\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range13
HKCU\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range12
HKCU\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range11
HKCU\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range10
HKCU\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1
HKCU\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range0

Registry entries are created under:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Safety Alerter 2006
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Public Messenger ver 2.03
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Security Add-On
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Security Plugin 2006
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\iCodecPack
HKCR\VSEnchancer.Chl
HKCR\AVZipEnchancer.Chl

Uninstall entries are added to "Add or Remove Programs" in the Windows Control Panel for: "Safety Alerter 2006", "Public Messenger ver 2.03", "Internet Security Add-On", "Internet Explorer Security Plugin 2006" and "iCodecPack 7.0", however these cannot be relied upon to clean the computer.

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer