Virus:DR/Zlob.iwm
Date discovered:25/11/2008
Type:Dropper
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:7.073.792 Bytes
MD5 checksum:310155bd61cf7370031799b366333bba
IVDF version:7.01.00.137 - Tuesday, November 25, 2008

 General Method of propagation:
   • No own spreading routine


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads malicious files
   • Drops malicious files


Right after execution the following information is displayed:


 Files  It creates the following directories:
   • %PROGRAM FILES%\HDTV Player\
   • %PROGRAM FILES%\HDTV Player\Uninstall



The following files are created:

– Non malicious files:
   • %PROGRAM FILES%\HDTV Player\applog.dll
   • %PROGRAM FILES%\HDTV Player\ATVPlayerCtrl.dll
   • %PROGRAM FILES%\HDTV Player\BDA_TSFile.dll
   • %PROGRAM FILES%\HDTV Player\DibLibDll.dll
   • %PROGRAM FILES%\HDTV Player\HDTVPlayer.exe
   • %PROGRAM FILES%\HDTV Player\IE_Ext.dll
   • %PROGRAM FILES%\HDTV Player\mlutil.dll
   • %PROGRAM FILES%\HDTV Player\ucm.dll
   • %PROGRAM FILES%\HDTV Player\VersionInfo.dll

%PROGRAM FILES%\HDTV Player\Readme.txt
%PROGRAM FILES%\HDTV Player\SndErr.ini
%PROGRAM FILES%\HDTV Player\License.txt
%PROGRAM FILES%\HDTV Player\FileAssocator.ini
%PROGRAM FILES%\HDTV Player\DVBTFrequencyList.ini
%PROGRAM FILES%\HDTV Player\ATSCFrequencyList.ini
%PROGRAM FILES%\HDTV Player\AnalogTVStandard.INI
%PROGRAM FILES%\HDTV Player\AnalogTVFrequency.reg
%PROGRAM FILES%\HDTV Player\Uninstall\uninstall.xml
%PROGRAM FILES%\HDTV Player\Uninstall\uninstall.dat
%PROGRAM FILES%\HDTV Player\Uninstall\IRIMG1.BMP
%PROGRAM FILES%\HDTV Player\Uninstall\IRIMG2.BMP



It tries to download some files:

– The location is the following:
   • http://89.149.226.**********/MediaCodec.exe
It is saved on the local hard drive under: %TEMPDIR%\MediaCodec.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: DR/Dldr.Zlob.IWM.1


– The location is the following:
   • http://end-live.com/**********/FlashPlayer.v3.193.exe
It is saved on the local hard drive under: %TEMPDIR%\FlashPlayer.v.3.193.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: DR/AutoRun.lte

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Thomas Wegele on Wednesday, November 26, 2008
Description updated by Thomas Wegele on Thursday, November 27, 2008

Back . . . .