TROJ_ZLOB.BVP

This Trojan may arrive bundled with malware packages as a malware component. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan may arrive bundled with malware packages as a malware component.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following component file(s):

• {malware path}\pmmnt.exe
• {malware path}\issearch.exe
• %System%\{random file name}.dll

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
Explorer\Run
rare = "{malware path}\{malware file name}.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
Explorer\Run
issearch = "{malware path}\issearch.exe"

It adds the following registry keys to install itself as a Browser Helper Object (BHO):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Browser Helper Objects\{Random CLSID}

Other System Modifications

This Trojan adds the following registry entries as part of its installation routine:

HKEY_CLASSES_ROOT\CLSID\{Random CLSID}
(Default) = "%System%\{random file name}.dll"

NOTES:

Once successfully installed on the system, it may connect to the following websites to download other possibly malicious files:

• http://www.{BLOCKED}omepages.com
• http://www.{BLOCKED}safetytool.com
• http://www.{BLOCKED}datepage.com

As a result, routines of the downloaded files may also be exhibited on the affected system.