The Zlob Trojan obtains data through deceptive windows

The Zlob.N Trojan attempts to infect computers through deceptive windows or error messages. If it reaches its destination, it will download malicious files from the Internet.

The Zlob.N Trojan is not one of the malicious programs that try to hide itself and perform their activities from the background. This is because Zlob.N performs a number of actions on selected computers that can be used to suspect the presence of a malware. The Trojan displays deceptive windows and error messages that try to convince the user that the virus protection on their computer is inadequate or that their PC is infected with spyware. If the user clicks on the buttons in the windows, Zlob will start downloading malicious files from the Internet.

Zlob.N also installs a new toolbar for Internet Explorer.

When the Zlob.N Trojan starts, it performs the following actions:

1. Create the following files:
% CurrentFolder% \ smmain.exe
% CurrentFolder% \ smmon.exe
% CurrentFolder% \ splug.dll
% CurrentFolder% \ spunst.exe
% CurrentFolder% \ smunst.exe
% CurrentFolder% \ spunst.exe

2. Add the following entries to the registration database:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentV ersion\policies\explorer\\\un”rare” = “%CurrentFolder%\smmain.exe”
HKEY_CURRENT_USER\Software\Protection Tools”65005″ = “1”
HKEY_CLASSES_ROOT\CLSID\{F0993251-2512-4710-AF6E-0A13E A199D02}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{F0993251-2512-4710-AF6E-0A13EA199D02}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVe rsion\Ext\Stats\{F0993251-2512-4710-AF6E-0A13EA199D02}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{F0993251-2512-4710-AF6E-0A13E A199D02}

3. Displays the following windows or error message: