Zlob trojan information

The Zlob Trojan, identified by some antiviruses as Trojan.Zlob, is a Trojan horse which masquerades as a required video codec in the form of ActiveX. It was first detected in late 2005, but only started gaining attention in mid-2006.^[1]

Once installed, it displays popup ads which appear similar to real Microsoft Windows warning popups, informing the user that their computer is infected with spyware. Clicking these popups triggers the download of a fake anti-spyware program (such as Virus Heat and MS Antivirus (Antivirus 2009)) in which the Trojan horse is hidden.^[1]

The Trojan has also been linked to downloading atnvrsinstall.exe which uses the Windows Security shield icon to look as if it is an anti-virus installation file from Microsoft. Having this file run can wreak havoc on computers and networks. One typical symptom is random computer shutdowns or reboots with random comments.^{[further explanation needed]} This is caused by the programs using Task Scheduler to run a file called "zlberfker.exe."

Project Honeypot Spam Domains List (PHSDL)^[2] tracks and catalogs spam domains. Some of the domains on the list are redirects to porn sites and various video watching sites that show a number of online videos. Playing videos on these sites activates a request to download an ActiveX codec which is malware. It prevents the user from closing the browser in the usual manner. Other variants of Zlob Trojan installation come in the form of a Java cab file masquerading as a computer scan.^[3]

There is evidence that the Zlob Trojan might be a tool of the Russian Business Network^[4] or at least of Russian origin.^[5]