Full description

Virus:	TR/Zlob.65745.7
Date discovered:	25/10/2006
Type:	Trojan
In the wild:	No
Reported Infections:	Low
Distribution Potential:	Low
Damage Potential:	Low to medium
Static file:	Yes
File size:	82.528 Bytes
MD5 checksum:	1a9aee5d6c192efb9d5530f9168c8512
VDF version:	6.36.00.166
IVDF version:	6.36.00.184 - Monday, October 30, 2006

General Method of propagation:
   • No own spreading routine

Aliases:
   • F-Secure: Trojan-Downloader.Win32.Zlob.asq
   • Eset: Win32/TrojanDownloader.Zlob.AGA

Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Downloads malicious files
   • Drops malicious files
   • Registry modification

Right after execution the following information is displayed:

Files It creates the following directory:
   • %PROGRAM FILES%\PornMag Pass

The following files are created:

– %PROGRAM FILES%\PornMag Pass\PornMagPass.exe Further investigation pointed out that this file is malware, too. Detected as: TR/Zlob.65745.7

– %PROGRAM FILES%\PornMag Pass\uninst.exe Further investigation pointed out that this file is malware, too. Detected as: TR/Zlob.65745.7

– %PROGRAM FILES%\PornMag Pass\PornMag Pass.url

It tries to download some files:

– The location is the following:
   • http://85.255.118.2/ultra/php/install/**********
It is saved on the local hard drive under: %TEMPDIR%\laf%hex number%.tmp Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too.

– The location is the following:
   • http://yourguardonline.biz/**********
This file may contain further download locations and might serve as source for new threats.

– The location is the following:
   • http://85.255.118.2/ultra/php/install/**********
It is saved on the local hard drive under: %TEMPDIR%\laf%hex number%.tmp Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too.

Registry The value of the following registry key is removed:

– [HKCU\Software\Internet Security]
   • "65010"

The following registry keys are added:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
   PornMag Pass]
   • "ProductionEnvironment"="1"
   • "DisplayName"="PornMag Pass 1.0"
   • "UninstallString"="%PROGRAM FILES%\PornMag Pass\uninst.exe"
   • "DisplayIcon"="%PROGRAM FILES%\PornMag Pass\uninst.exe"
   • "DisplayVersion"="1.0"
   • "URLInfoAbout"="http://www.pornmagpass.com"
   • "Publisher"="PornMag Pass Inc."

– [HKCU\Software\Internet Security]
   • "Type"=dword:00000001
   • "Path"="%PROGRAM FILES%\PornMag Pass"
   • "Removable"=dword:00000000
   • "65005"=dword:00000001

File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• UPX

Description inserted by Adriana Popa on Wednesday, December 6, 2006
Description updated by Adriana Popa on Wednesday, December 6, 2006

Back . . . .