Trojan.Zlob.K

Trojan.Zlob.K is a Trojan horse that may download and execute remote files and redirect Internet Explorer home page and search page to a different address. It may add encryption key to certain folders to hide associated files or any stolen data from the compromised computer.

Category: Trojan Horse

Risk Level: Low

Aliases:

• TROJ_ZLOB.MU
• Trojan-Downloader.Win32.Zlob.s
• Downloader-XC
• Trojan.Zlob.B

Technical Details

Characteristics:
Since Trojan.Zlob.K is a downloader, its goal is to download additional malware. It will communicate to predefined web sites, fetch malicious data, and run them on the infected computer.

Once activated, the Trojan may drop the following files:
%System%\ncompat.tlb
%System%\interf.tlb
%System%\hp[RANDOM CHARACTERS].tmp

Then, it will add the following registry entry so that it executes on every Windows start-up:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\”nvctrl.exe” = “nvctrl.exe”

To gain automatic start-up when running Windows Explorer, this Trojan will set the following registry entry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
notepad.exe
msmsgs.exe

Additional registry entry that calls the application file msmsgs.exe is added. This will also allow Trojan.Zlob.K to run on every Windows start-up.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell = “msmsgs.exe”

Lastly, the Trojan will hide malicious activities by injecting codes into legitimate file Explorer.exe.

Distribution Method:
Trojan.Zlob.K may arrive on target computer by means of another Trojan infection.

Recommended Trojan.Zlob.K Removal Procedure

1. Temporarily Disable System Restore (Windows Me/XP). [how to]
2. Update the virus definitions.
3. Reboot computer in SafeMode [how to]
4. Run a full system scan and clean/delete all infected file(s)
5. Delete/Modify any values added to the registry. [how to edit registry]
Navigate to and delete the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\”nvctrl.exe”
= “nvctrl.exe”

6. Exit registry editor and restart the computer.
7. In order to make sure that threat is completely eliminated from your computer, carry out a full scan of your computer using AntiVirus and Antispyware Software. Another way to delete the virus using various Antivirus Program without the need to install can be done with Online Virus Scanner.