Dropped:Trojan.Zlob.CND

( Trojan.Win32.BHO.eeg, Trojan-Dropper.Win32.Delf.aho, Trojan.Zlob, TROJ_ZLOB.CCF, Trojan:Win32/Delflob.I )

SYMPTOMS:

You can recognize this malware by the presence of the registry keys:
1) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
         {2FF811E6-8925-4084-A649-C159955E67E8}
2) HCU\Software\Microsoft\Bind = <7_digit_number>

TECHNICAL DESCRIPTION:

 The actions performed by this malware are:
*  downloads a file from the following location http://hotvid55.com/[removed].php?id=[7_digit_number] ,
*  sets the key  HCU\Software\Microsoft\Bind = <7_digit_number>  (the same 7 digit number as in the download link)  and
*  drops a malware .dll file in the system directory (c:\windows\system32 or c:\winnt\system32, depending on the operating system). BitDefender detects the dropped file as Trojan.Zlob.CND.
 
* This .dll will be registered as a browser helper object, creating the registry key  
  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\                
          {2FF811E6-8925-4084-A649-C159955E67E8} and in this way will ensure autostart capabilities. 
 Some of the names used for this BHO are: dadef.dll, conio.dll, dapol.dll, nada64.dll, opus64.dll, ...
 
* The .dll will be registered as a service, by means of regsvr32.exe, in silent mode.
* Also, it changes the security settings of Internet Explorer by modifying some subkeys of the
       HKU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap key.  

Removal instructions:

Please let BitDefender delete your intected files.

ANALYZED BY:

Boeriu Laura, virus researcher