Full description

Virus:	TR/Zlob.65745.9
Date discovered:	25/10/2006
Type:	Trojan
In the wild:	No
Reported Infections:	Low
Distribution Potential:	Low
Damage Potential:	Low to medium
Static file:	Yes
File size:	60.905 Bytes
MD5 checksum:	e948d9ab21d0f1b1bdb3ba8af1c704c9
VDF version:	6.36.00.166
IVDF version:	6.36.00.184 - Monday, October 30, 2006

General Method of propagation:
   • No own spreading routine

Aliases:
   • F-Secure: Trojan-Downloader.Win32.Zlob.yo
   • Eset: Win32/TrojanDownloader.Zlob.AGA

Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Downloads malicious files
   • Drops malicious files
   • Registry modification

Right after execution the following information is displayed:

Files It creates the following directory:
   • %PROGRAM FILES%\PornPass Manager

The following files are created:

– %PROGRAM FILES%\PornPass Manager\pornpassmanager.exe Further investigation pointed out that this file is malware, too. Detected as: TR/Zlob.65745.9

– %PROGRAM FILES%\PornPass Manager\uninst.exe Further investigation pointed out that this file is malware, too. Detected as: TR/Zlob.65745.9

– %PROGRAM FILES%\PornPass Manager\PornPassManager.exe.manifest
– %PROGRAM FILES%\PornPass Manager\PornPass Manager.url

It tries to download some files:

– The location is the following:
   • http://85.255.118.2/ultra/php/install/**********
It is saved on the local hard drive under: %TEMPDIR%\laf%hex number%.tmp Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too.

– The location is the following:
   • http://yourguardonline.biz/**********
This file may contain further download locations and might serve as source for new threats.

– The location is the following:
   • http://85.255.118.2/ultra/php/install/**********
It is saved on the local hard drive under: %TEMPDIR%\laf%hex number%.tmp Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too.

Registry The value of the following registry key is removed:

– [HKCU\Software\Internet Security]
   • "65010"

The following registry keys are added:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
   PornPass Manager]
   • "ProductionEnvironment"="1"
   • "DisplayName"="PornPass Manager 5.0"
   • "UninstallString"="%PROGRAM FILES%\PornPass Manager\uninst.exe"
   • "DisplayIcon"="%PROGRAM FILES%\PornPass Manager\uninst.exe"
   • "DisplayVersion"="5.0"
   • "URLInfoAbout"="http://www.pornpassmanager.com"
   • "Publisher"="PornPass Manager Inc."

– [HKCU\Software\Internet Security]
   • "Type"=dword:00000001
   • "Path"="%PROGRAM FILES%\PornPass Manager"
   • "Removable"=dword:00000000
   • "65005"=dword:00000001

File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• UPX

Description inserted by Adriana Popa on Tuesday, December 5, 2006
Description updated by Adriana Popa on Tuesday, December 5, 2006

Back . . . .