The Zlob Trojan, identified by some antiviruses as Trojan.Zlob, is a Trojan horse which masquerades as a needed video codec in the form of ActiveX. It was first detected in late 2005, but only started gaining attention in mid-2006.
Once installed, it displays popup ads with which appear similar to real Microsoft Windows warning popups, informing the user that their computer is infected with spyware. Clicking these popups triggers the download of a fake anti-spyware program (such as Virus Heat and MS Antivirus (Antivirus 2009)) in which the Trojan horse is hidden.
The Trojan has also been linked to downloading atnvrsinstall.exe which uses the Windows Security shield icon to look as if it is an anti-virus installation file from Microsoft. Having this file initiated can wreak havoc on computers and networks. One typical symptom is random computer shutdowns or reboots with random comments. This is caused by the programs using Task Scheduler to run a file called "zlberfker.exe."
Project Honeypot Spam Domains List (PHSDL) tracks and catalogs Zlob spam domains. Some of the domains on the list are redirects to porn sites and various video watching sites that show a number of inline videos. Playing the video activates a request to download an ActiveX codec which is malware. It prevents the user from closing the browser in the usual manner. Other variants of Zlob Trojan installation come in the form of a Java cab file masquerading as a computer scan.
RSPlug, DNSChanger, and other variants
The group that created Zlob has also created a Mac Trojan with similar behaviors (named RSPlug). Some variants of the Zlob family, like the so-called "DNSChanger", add rogue DNS name servers to the registry of Windows-based computers and attempt to hack into any detected router to change the DNS settings, potentially re-routing traffic from legitimate web sites to other suspicious web sites. DNSChanger in particular gained significant attention when the U.S. FBI announced it had shut down the source of the malware in late-November 2011. However, as there were millions of infected computers which would lose access to the internet if the malware group's servers were shutdown, the FBI opted to convert the servers into legitimate DNS servers. Due to cost concerns, however, these servers are set to shut down on the morning of 9 July 2012, which could cause thousands of still-infected computers to lose internet access.
- "The ZLOB Show: Trojan Poses as Fake Video Codec, Loads More Threats". Trend Micro. Retrieved 2007-11-26.
- PHSDL - Project Honeypot Spam Domains List
- PHSDL Zlob Trojan Forum Spam Hijacking Attempt Documentation
- Tung, Liam (2007-11-08). "Multiplying Mac Trojan not epidemic yet". CNET News. Retrieved 2007-11-26.
- Podrezov, Alexey (2005-11-07). "F-Secure Virus Descriptions: DNSChanger". F-Secure Corporation. Retrieved 2007-11-26.
- Vincentas (9 July 2013). "Zlob Trojan in SpyWareLoop.com". Spyware Loop. Retrieved 28 July 2013.
- "International Cyber Ring That Infected Millions of Computers Dismantled". U.S. FBI. 9 November 2011. Retrieved 6 June 2012.
- Kerr, Dara (5 June 2012). "Facebook warns users of the end of the Internet via DNSChanger". CNET. Retrieved 6 June 2012.
- Zlob trojan description and removal instructions
- List of ActiveX Zlob Trojan fake codecs and other misleading Zlob-installers
- Listing of 113 fake codec domains
- Flash's Security Blog, a blog listing fake codecs and rogue security software.
- S!Ri.URZ, SmitfraudFix.
- Zlob/VideoAccess/Trojan.Win32.DNSChanger - malekal.com (fr)
Anti Zlob Malware Forums