Trojan.Zlob.CKZ

( Trojan-Downloader.Win32.Zlob.nwr Win32/TrojanDownloader.Zlob.BYT TR/Dldr.Zlob.nwr )
Spreading: medium
Damage: very low
Size: 20992
Discovered: 2008 May 28

SYMPTOMS:

Presence of the following directories:

%ProgramFilesDir%\VirusHeat 4.4\
%ProgramFilesDir%\NetProject\

TECHNICAL DESCRIPTION:

At execution the trojan access the following webpage:
http://69.50.164.54/this/[removed]/stereo/music.php,
using "internetsecurity" as UserAgent.
Then downloads and executes the file:
http://dl1.virusheat.com/downloads/[removed]/vrh_setup.exe
which installs a rogue antivirus and display fake security alerts or notifications 
to trick user to buy the paid version of VirusHeat

Removal instructions:

Please let BitDefender disinfect your files.

ANALYZED BY:

Sorin Ciorceri, virus researcher