Trojan.Zlob is a back door Trojan that allows the remote attacker to perform various malicious actions on the compromised computer.
When Trojan.Zlob is executed, it performs the following actions:
Copies itself as one of the following files:
%System%\msmsgs.exe
%System%\ld100.tmp
%System%\regperf.exe
Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Adds the following value:
"Shell" = "Explorer.exe, msmsgs.exe"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
so that the Trojan runs every time Windows starts.
Creates the following value:
"MSN Messenger" = "%System%\msmsgs.exe"
to the registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
so that the Trojan runs every time Windows starts.
Adds the following value:
"uuid" = "86c29b2f-3389-418b-9b47-c2b09b6abc07"
to the registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
Adds one of the following values:
"wininet.dll" = "regperf.exe"
"notepad.exe" = "msmsgs.exe"
to the registry key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
so that the Trojan runs when Windows starts or the user logs on.
Injects itself into the explorer.exe process.
Attempts to make HTTP connections to the following domains using different URLs, which allow the Trojan to ping, report it's status, and execute remote files:
vnp7s.net
zxserv0.com
dumpserv.com
Removal:
Run a full system scan.
If any files are detected as infected with Trojan.Zlob, click Delete.
Warning messages may be displayed when the computer is restarted, as the threat has not been fully removed at this point. Please ignore these messages and just click OK. These messages will not appear when the computer is restarted after the removal instructions have been fully completed. The messages displayed may be similar to the following:
Title: [File path]
Message body: Windows cannot find [file name]. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.
To delete the value from the registry
Make a backup of the registry then follow the steps:
Click Start > Run.
Type regedit
Click OK.
Navigate to the following subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
In the right pane, delete the value:
"Shell" = "Explorer.exe, msmsgs.exe"
Navigate to the following subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
In the right pane, delete the value:
"MSN Messenger" = "%System%\msmsgs.exe"
Navigate to the following subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
In the right pane, delete the value:
"uuid" = "[random characters]"
Navigate to the following subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\explorer\Run
In the right pane, delete the value:
"notepad.exe" = "msmsgs.exe"
Exit the Registry Editor.
.:: Malicious Brains ::.
http://maliciousbrains.blogspot.com/
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
