Malware type: Trojan

Aliases: Trojan-Downloader.Win32.Zlob.btc (Kaspersky), TR/Zlob.CA.34 (Avira), Mal/Zlob-A (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Description: 

To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.

Malware Overview

This memory-resident Trojan may be dropped or downloaded from remote sites by other malware. It may also be downloaded unknowingly by a user when visiting malicious web sites.

When executed, it drops a copy of itself in the current ucer's Temp folder. It stays resident in the affected system's memory by injecting its code in a certain process.

This Trojan attempts to reconfigure different routers. It does this by sending requests to the local Web page for various setup wizards bundled with the said routers. It then attempts to identify the password needed to administer the router by using a ready list of user name-password combinations.

Once it successfully performs this routine, This Trojan changes the system's domain name system (DNS) records. This enables remote malicious users to have access to system processes as all transactions pass through their networks first.

It modifies DNS settings by either HTTP POST or GET depending on the router.

It also connects to a certain IP address. As of this writing, however, the said address in inaccessible.

For additional information about this threat, see:
Solution
Technical Details

Description created: Jun. 12, 2008 7:56:54 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.