|
Saturday, 07 January 2006 |
Trojan.Zlob.H is a Trojan horse that may download and execute remote files and redirect the Internet Explorer home page and search page.
Type: Trojan Horse
Infection Length: 15,756 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Damage
Payload Trigger: n/a
Payload: May download and execute files.
Large scale e-mailing: n/a
Deletes files: n/a
Modifies files: n/a
Degrades performance: Redirects the Internet Explorer home page and search pages to a potentially malicious Web site.
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: n/a
Distribution
Subject of email: n/a
Name of attachment: n/a
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: n/a
Shared drives: n/a
Target of infection: Internet Explorer home page and search pages.
When Trojan.Zlob.H executes, it performs the following actions:
Drops the following files:
%System%
compat.tlb
%System%msvol.tlb
%System%hp[RANDOM CHARACTERS].tmp
Note: %System% is a variable that refers to the System folder. By default this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP).
Adds the value:
"nvctrl.exe" = "nvctrl.exe"
to the registry subkey:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorerRun
so that it runs every time Windows starts.
Deletes all subkeys under the following registry subkeys:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objecta
Creates the registry subkeys:
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{27150F81-0877-42E9-AF13-55E5A3439A26}
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{27150F81-0877-42E9-AF13-55E5A3439A26}
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objecta{27150F81-0877-42E9-AF13-55E5A3439A26}
Adds an encryption key to the following registry entries, which it may use to encrypt data associated with the Trojan itself or any data it gathers from the compromised computer:
%UserProfile%Application DataMicrosoftCryptoRSA
%UserProfile%Application DataMicrosoftProtect
Note: %UserProfile% is a variable that refers to the current users profile folder. By default, this is C:Documents and Settings[CURRENT USER] (Windows NT/2000/XP).
Redirects the Internet Explorer home page to the following URL regardless of the registry settings:
www.securitycaution.com/[REMOVED]
Redirects all Internet Explorer address bar searches and page not found errors to the following URLs regardless of the registry settings:
www.securitycaution.com/[REMOVED]/search.php
www.dns404.net/[REMOVED]
May also attempt to download and execute remote files.
To delete the value from the registry:
Navigate to the subkey:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorerRun
In the right pane, delete the value:
"nvctrl.exe" = "nvctrl.exe"
Navigate to and delete the following subkeys:
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{724510C3-F3C8-4FB7-879A-D99F29008A2F}
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects
{724510C3-F3C8-4FB7-879A-D99F29008A2F}
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objecta
{724510C3-F3C8-4FB7-879A-D99F29008A2F}
Exit the Registry Editor.
|
