high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Included in our products from | November 2008 (4.35) |
| Protection available since | 6 October 2008 23:22:14 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Zlob-AOX is a downloader Trojan for the Windows platform.
The installer for Troj/Zlob-AOX drops a randomly named DLL to the System folder and registers this DLL as a COM object and Browser Helper Object (BHO) for Microsoft Internet Explorer, creating registry entries under:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5D682D50-876E-454C-90BE-EFE6028FE389}
HKCR\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}
HKCR\Interface\{7400E82A-929B-462A-BA8D-A7ED73843144}
HKCR\Interface\{1D745E53-A313-4CC4-9D5D-F6B655BE9167}
HKCR\CLSID\{5D682D50-876E-454C-90BE-EFE6028FE389}
HKCR\gigant.Bho
HKCR\monamia2
The installer then creates a hidden instance of Microsoft Internet Explorer to activate the DLL.
The DLL component downloads and runs further executables, such as installers or downloader/installers for fake anti-virus Trojans.
The following harmless files are typically installed:
<Desktop>\Cheap Pharmacy Online.url
<Desktop>\Search Online.url
<Desktop>\VIP Casino.url
<Favorites>\Cheap Pharmacy Online.url
<Favorites>\Search Online.url
<Favorites>\VIP Casino.url
<User>\Start Menu\Cheap Pharmacy Online.url
<User>\Start Menu\Search Online.url
<User>\Start Menu\VIP Casino.url
<Windows>\k.txt
<System>\c.ico
<System>\m.ico
<System>\s.ico
Registry entries are created under:
HKCU\Software\Microsoft\Bind
|
