Dropped:Trojan.Zlob.CND
MEDIUM
LOW
40 to 43 KB, or 104,5 KB
(Trojan.Win32.BHO.eeg, Trojan-Dropper.Win32.Delf.aho, Trojan.Zlob, TROJ_ZLOB.CCF, Trojan:Win32/Delflob.I)
Symptoms
You can recognize this malware by the presence of the registry keys:
1) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{2FF811E6-8925-4084-A649-C159955E67E8}
2) HCU\Software\Microsoft\Bind = <7_digit_number>
Removal instructions:
Please let BitDefender delete your intected files.
Analyzed By
Boeriu Laura, virus researcher
Technical Description:
The actions performed by this malware are:
* downloads a file from the following location http://hotvid55.com/[removed].php?id=[7_digit_number] ,
* sets the key HCU\Software\Microsoft\Bind = <7_digit_number> (the same 7 digit number as in the download link) and
* drops a malware .dll file in the system directory (c:\windows\system32 or c:\winnt\system32, depending on the operating system). BitDefender detects the dropped file as Trojan.Zlob.CND.
* This .dll will be registered as a browser helper object, creating the registry key
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{2FF811E6-8925-4084-A649-C159955E67E8} and in this way will ensure autostart capabilities.
Some of the names used for this BHO are: dadef.dll, conio.dll, dapol.dll, nada64.dll, opus64.dll, ...
* The .dll will be registered as a service, by means of regsvr32.exe, in silent mode.
* Also, it changes the security settings of Internet Explorer by modifying some subkeys of the
HKU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap key.
SHARE
THIS ON