Virus:TR/Zlob.65745.9
Date discovered:25/10/2006
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:60.905 Bytes
MD5 checksum:e948d9ab21d0f1b1bdb3ba8af1c704c9
VDF version:6.36.00.166
IVDF version:6.36.00.184 - Monday, October 30, 2006

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  F-Secure: Trojan-Downloader.Win32.Zlob.yo
   •  Eset: Win32/TrojanDownloader.Zlob.AGA


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads malicious files
   • Drops malicious files
   • Registry modification


Right after execution the following information is displayed:



 Files  It creates the following directory:
   • %PROGRAM FILES%\PornPass Manager



The following files are created:

%PROGRAM FILES%\PornPass Manager\pornpassmanager.exe Further investigation pointed out that this file is malware, too. Detected as: TR/Zlob.65745.9

%PROGRAM FILES%\PornPass Manager\uninst.exe Further investigation pointed out that this file is malware, too. Detected as: TR/Zlob.65745.9

%PROGRAM FILES%\PornPass Manager\PornPassManager.exe.manifest
%PROGRAM FILES%\PornPass Manager\PornPass Manager.url



It tries to download some files:

– The location is the following:
   • http://85.255.118.2/ultra/php/install/**********
It is saved on the local hard drive under: %TEMPDIR%\laf%hex number%.tmp Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too.

– The location is the following:
   • http://yourguardonline.biz/**********
This file may contain further download locations and might serve as source for new threats.

– The location is the following:
   • http://85.255.118.2/ultra/php/install/**********
It is saved on the local hard drive under: %TEMPDIR%\laf%hex number%.tmp Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too.

 Registry The value of the following registry key is removed:

–  [HKCU\Software\Internet Security]
   • "65010"



The following registry keys are added:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
   PornPass Manager]
   • "ProductionEnvironment"="1"
   • "DisplayName"="PornPass Manager 5.0"
   • "UninstallString"="%PROGRAM FILES%\PornPass Manager\uninst.exe"
   • "DisplayIcon"="%PROGRAM FILES%\PornPass Manager\uninst.exe"
   • "DisplayVersion"="5.0"
   • "URLInfoAbout"="http://www.pornpassmanager.com"
   • "Publisher"="PornPass Manager Inc."

– [HKCU\Software\Internet Security]
   • "Type"=dword:00000001
   • "Path"="%PROGRAM FILES%\PornPass Manager"
   • "Removable"=dword:00000000
   • "65005"=dword:00000001

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Adriana Popa on Tuesday, December 5, 2006
Description updated by Adriana Popa on Tuesday, December 5, 2006

Back . . . .