Trojan.Zlob.J

Trojan.Zlob.J is a member of a Zlob family that refers to a large group of malware involving in malicious acts like modifying Internet browsers, redirect home page and search results, install fake security applications, and execute arbitrary file from a remote server. Trojan.Zlob.J also allows a remote attacker to access the compromised computer. Thus, the attacker may perform malicious actions and steal sensitive data from the infected system.

Category: Trojan Horse

Risk Level: Medium

Technical Details

Characteristics:
Upon execution, Trojan.Zlob.J will drop the following harmful files:
%System%\ld[RANDOM CHARACTERS].tmp
%System%\dfrgsrv.exe

To gain automatic start-up spot, the Trojan will modify Windows registry and add the following entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
“wininet.dll” = “dfrgsrv.exe”

Alternative start-up method is to inject malicious code into the following Windows process that runs when Windows starts:
winlogon.exe

Once running on the compromised system, Trojan.Zlob.J will monitor Internet activities and may modify settings of the home page.
Lastly, the Trojan will establish an HTTP connection to specified URL and performs the following actions:

• Ping the remote computer
• Send a status report regarding the infected system
• Download and execute remote files, which upgrade itself

Distribution Method:
Trojan.Zlob.J uses the web primarily to spread a copy of itself. Malicious web sites, infected web pages and unsafe file-sharing networks are the top sources of this Trojan. Once inside the computer, it may contaminate other files locally but will never spread on neighboring computers.

Recommended Trojan.Zlob.J Removal Procedure

1. Temporarily Disable System Restore (Windows Me/XP). [how to]
2. Update the virus definitions.
3. Reboot computer in SafeMode [how to]
4. Run a full system scan and clean/delete all infected file(s)
5. Delete/Modify any values added to the registry. [how to edit registry]
Navigate to and delete the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run “wininet.dll” = “dfrgsrv.exe”

6. Exit registry editor and restart the computer.
7. In order to make sure that threat is completely eliminated from your computer, carry out a full scan of your computer using AntiVirus and Antispyware Software. Another way to delete the virus using various Antivirus Program without the need to install can be done with Online Virus Scanner.