My Bitdefender
  • 0 Shopping Cart


Facebook Twitter Google Plus


40 to 43 KB, or 104,5 KB
(Trojan.Win32.BHO.eeg, Trojan-Dropper.Win32.Delf.aho, Trojan.Zlob, TROJ_ZLOB.CCF, Trojan:Win32/Delflob.I)


You can recognize this malware by the presence of the registry keys:
1) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
2) HCU\Software\Microsoft\Bind = <7_digit_number>

Removal instructions:

Please let BitDefender delete your intected files.

Analyzed By

Boeriu Laura, virus researcher

Technical Description:

 The actions performed by this malware are:
downloads a file from the following location[removed].php?id=[7_digit_number] ,
*  sets the key  HCU\Software\Microsoft\Bind = <7_digit_number>  (the same 7 digit number as in the download link)  and
drops a malware .dll file in the system directory (c:\windows\system32 or c:\winnt\system32, depending on the operating system). BitDefender detects the dropped file as Trojan.Zlob.CND.
* This .dll will be registered as a browser helper object, creating the registry key  
  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\                
and in this way will ensure autostart capabilities. 
 Some of the names used for this BHO are: dadef.dll, conio.dll, dapol.dll, nada64.dll, opus64.dll, ...
* The .dll will be registered as a service, by means of regsvr32.exe, in silent mode.
* Also, it changes the security settings of Internet Explorer by modifying some subkeys of the
       HKU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap key.