high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Protection available since | 8 August 2006 09:32:36 (GMT) |
| Last updated | 2 May 2007 08:24:31 (GMT) |
| Detected by | All Sophos products |
Sophos beta program
- Endpoint Security and Control 9.0
- Small business solutions 4.0
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Zlob-QK is a Trojan for the Windows platform.
The Trojan appears to be an installer for a video codec. When run, it attempts to download and install additional components.
When installed, popups and messages warning users of viral infection and adware/spyware presence will be displayed. Users are encouraged to download or buy potentially fraudulent Anti-Spyware and Anti-Virus products.
When run, it creates the following files:
<Program Files>\IntCodec\iesplugin.dll
<Program Files>\IntCodec\iesuninst.exe
<Program Files>\IntCodec\isaddon.dll
<Program Files>\IntCodec\isamini.exe
<Program Files>\IntCodec\isamonitor.exe
<Program Files>\IntCodec\isauninst.exe
<Program Files>\IntCodec\pmmon.exe
<Program Files>\IntCodec\pmsngr.exe
<Program Files>\IntCodec\pmuninst.exe
<Program Files>\IntCodec\uninst.exe
<System>\viruxz.dll
These files are detected Troj/Zlob-QK.
The following files are also created and they can be safely removed:
<Desktop>\Online Security Guide.url
<Desktop>\Security Troubleshooting.url
<User>\Start Menu\Online Security Guide.url
<User>\Start Menu\Security Troubleshooting.url
<Favorites>\Online Security Test.url
<Program Files>\IntCodec\ts.ico
<Program Files>\IntCodec\ot.ico
The following registry entries are set:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
homepage.monitor.exe
<Program Files>\IntCodec\isamonitor.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
pmsngr.exe
<Program Files>\IntCodec\pmsngr.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
bestreak
(874443fe-aa33-4ebf-a6ac-73208787e62d)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
bestreak
(874443fe-aa33-4ebf-a6ac-73208787e62d)
The files iesplugin.dll, isaddon.dll and viruxz.dll are registered as COM objects, creating registry entries under:
HKCR\CLSID\(a2595f37-48d0-46a1-9b51-478591a97764)
HKCR\CLSID\(874443fe-aa33-4ebf-a6ac-73208787e62d)
HKCR\CLSID\(1da7dbe8-c51b-4ae4-bc6e-21863349b0b4)
The file iesplugin.dll is registered as a toolbar, creating registry entries under:
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\(A2595F37-48D0-46A1-9B51-478591A97764)
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\(a2595f37-48d0-46a1-9b51-478591a97764)
The file isaddon.dll is registered as a Browser Helper Object (BHO) for Microsoft Internet Explorer, creating registry entries under:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\(1da7dbe8-c51b-4ae4-bc6e-21863349b0b4)
The Trojan changes settings for Microsoft Internet Explorer by modifying values under:
HKCU\Software\Microsoft\Internet Explorer\Main\
The following registry entry is set:
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
(01E04581-4EEE-11D0-BFE9-00AA005B4383)
<BINARY>
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Public Messenger ver 2.03\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Security Add-On\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Security Plugin 2006\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IntCodec\
HKCU\Software\Internet Security\
HKCR\VSEnchancer.Chl\CLSID\
HKCR\AVZipEnchancer.Chl\CLSID\
The Trojan provides an uninstall option which can be accessed via the Add or Remove Programs dialog in the Windows Control Panel. The software is listed as: "Public Messenger ver 2.03", "Internet Security Add-On", "Internet Explorer Security Plugin 2006" and "IntCodec 6.0".
|
