220:
concerns, however, these servers were set to shut down on the morning of 9 July 2012, which could cause thousands of still-infected computers to lose
Internet access. This server shutdown did occur as planned, although the expected issues with infected computers did not materialize. By the date of the shutdown, there were many free of charge programs available that removed the Zlob malware effectively and without requiring great technical knowledge. The malware did however remain in the wild and as at 2015 could still be found on unprotected computers. The malware was also self-replicating, something the FBI did not fully understand, and the servers that were shut down may have only been one of the initial sources of the malware. Current antivirus programs are very effective at detecting and removing Zlob and its time in the wild appears to be coming to an end.
158:
The Trojan has also been linked to downloading atnvrsinstall.exe which uses the
Windows Security shield icon to look as if it is an anti-virus installation file from Microsoft. Having this file run can wreak havoc on computers and networks. One typical symptom is random computer shutdowns or reboots
219:
announced it had shut down the source of the malware in late
November 2011. However, as there were millions of infected computers which would lose access to the Internet if the malware group's servers were shut down, the FBI opted to convert the servers into legitimate DNS servers. Due to cost
214:
of
Windows-based computers and attempt to hack into any detected router to change the DNS settings, potentially re-routing traffic from legitimate web sites to other suspicious web sites. DNSChanger in particular gained significant attention when the U.S.
170:
domains. Some of the domains on the list are redirects to porn sites and various video watching sites that show a number of online videos. Playing videos on these sites activates a request to download an
257:
528:
719:
554:
649:
1120:
607:
428:
495:
521:
179:. It prevents the user from closing the browser in the usual manner. Other variants of Zlob Trojan installation come in the form of a
731:
659:
453:
991:
830:
405:
216:
503:
An
Australian Government website, which has the diagnostic ability to determine if your computer is infected by DNSChanger.
1264:
559:
549:
514:
623:
330:
180:
746:
726:
485:
922:
1259:
996:
756:
401:
187:
121:
289:
1063:
1022:
771:
234:
1089:
1084:
675:
654:
468:
152:
1079:
1053:
794:
229:
500:
1115:
628:
820:
886:
591:
207:
912:
907:
458:
301:
944:
902:
804:
714:
644:
167:
140:
799:
680:
211:
736:
1254:
1203:
865:
845:
825:
815:
473:
490:
198:
The group that created Zlob has also created a Mac Trojan with similar behaviors (named
1229:
1172:
1136:
932:
751:
160:
148:
42:
376:
278:
132:. It was first detected in late 2005, but only started gaining attention in mid-2006.
1248:
1193:
975:
840:
766:
72:
1167:
938:
855:
850:
701:
353:
1177:
1038:
860:
789:
709:
65:
1146:
761:
686:
585:
464:
Flash's
Security Blog, a blog listing fake codecs and rogue security software.
203:
125:
1219:
1198:
454:
List of ActiveX Zlob Trojan fake codecs and other misleading Zlob-installers
35:
1224:
1151:
1110:
1058:
970:
870:
741:
402:"International Cyber Ring That Infected Millions of Computers Dismantled"
136:
52:
143:
warning popups, informing the user that their computer is infected with
1043:
955:
506:
176:
172:
144:
129:
1094:
835:
781:
258:"The ZLOB Show: Trojan Poses as Fake Video Codec, Loads More Threats"
199:
463:
315:
1048:
1001:
82:
1006:
429:"Facebook warns users of the end of the Internet via DNSChanger"
510:
166:
Project
Honeypot Spam Domains List (PHSDL) tracks and catalogs
186:
There is evidence that the Zlob Trojan might be a tool of the
290:
PHSDL Zlob Trojan Forum Spam
Hijacking Attempt Documentation
474:
Zlob/VideoAccess/Trojan.Win32.DNSChanger โ malekal.com (fr)
159:
with random comments. This is caused by the programs using
202:). Some variants of the Zlob family, like the so-called "
155:(Antivirus 2009)) in which the Trojan horse is hidden.
1212:
1186:
1160:
1129:
1103:
1072:
1031:
1015:
984:
963:
954:
921:
895:
879:
780:
700:
668:
637:
616:
600:
578:
571:
147:. Clicking these popups triggers the download of a
102:
94:
28:
23:
522:
316:"TCP โ ะัะพะตะบั ะะธะฑะตัะบัะปััััั | Zlob Team"
8:
960:
575:
529:
515:
507:
183:cab file masquerading as a computer scan.
354:"F-Secure Virus Descriptions: DNSChanger"
331:"Multiplying Mac Trojan not epidemic yet"
608:Sony BMG copy protection rootkit scandal
246:
61:Trojan-Downloader.Win32.Zlob (F-Secure)
194:RSPlug, DNSChanger, and other variants
163:to run a file called "zlberfker.exe."
124:which masquerades as a required video
58:Win32.Trojandownloader.Zlob (F-Secure)
20:
7:
352:Podrezov, Alexey (7 November 2005).
252:
250:
116:, identified by some antiviruses as
279:Project Honeypot Spam Domains List
78:Downloader.Win32.Zlob. (Kaspersky)
14:
459:Listing of 113 fake codec domains
377:"Zlob Trojan in SpyWareLoop.com"
190:or at least of Russian origin.
71:Trojan-Downloader.Win32.Zlob. (
329:Tung, Liam (8 November 2007).
1:
139:which appear similar to real
34:TrojanDownloader:Win32/Zlob (
939:Kaminsky DNS cache poisoning
683:(findings published in 2010)
135:Once installed, it displays
51:Trojan-Downloader:W32/Zlob (
1281:
427:Kerr, Dara (5 June 2012).
542:
375:Vincentas (9 July 2013).
149:fake anti-spyware program
480:Anti Zlob Malware Forums
188:Russian Business Network
151:(such as Virus Heat and
660:US military cyberattack
650:Cyberattacks on Georgia
624:Cyberattacks on Estonia
469:S!Ri.URZ, SmitfraudFix.
235:Trojan.Win32.DNSChanger
48:Trojan.Zlob. (Symantec)
655:Sarah Palin email hack
356:. F-Secure Corporation
795:Jeanson James Ancheta
230:Search-daily Hijacker
88:TR/Drop.Zlob. (Avira)
16:Trojan horse software
1265:Hacking in the 2000s
629:Operation: Bot Roast
537:Hacking in the 2000s
210:name servers to the
302:"RBN โ Fake Codecs"
592:Operation Firewall
81:TR/Dldr.Zlob.Gen (
1242:
1241:
1238:
1237:
720:associated events
696:
695:
645:Project Chanology
566:
565:
486:Geeks to Go Forum
408:. 9 November 2011
141:Microsoft Windows
110:
109:
1272:
961:
812:str0ke (milw0rm)
681:Operation Aurora
576:
545:
544:
531:
524:
517:
508:
441:
440:
438:
436:
424:
418:
417:
415:
413:
398:
392:
391:
389:
387:
372:
366:
365:
363:
361:
349:
343:
342:
340:
338:
326:
320:
319:
312:
306:
305:
298:
292:
287:
281:
276:
270:
269:
267:
265:
254:
21:
1280:
1279:
1275:
1274:
1273:
1271:
1270:
1269:
1260:Windows trojans
1245:
1244:
1243:
1234:
1208:
1182:
1156:
1125:
1099:
1068:
1027:
1011:
992:Anna Kournikova
980:
950:
925:
923:Vulnerabilities
917:
891:
875:
866:Dmitry Sklyarov
846:Albert Gonzalez
776:
692:
664:
633:
612:
596:
567:
538:
535:
450:
445:
444:
434:
432:
426:
425:
421:
411:
409:
400:
399:
395:
385:
383:
374:
373:
369:
359:
357:
351:
350:
346:
336:
334:
328:
327:
323:
314:
313:
309:
300:
299:
295:
288:
284:
277:
273:
263:
261:
256:
255:
248:
243:
226:
196:
175:codec which is
128:in the form of
17:
12:
11:
5:
1278:
1276:
1268:
1267:
1262:
1257:
1247:
1246:
1240:
1239:
1236:
1235:
1233:
1232:
1227:
1222:
1216:
1214:
1210:
1209:
1207:
1206:
1201:
1196:
1190:
1188:
1184:
1183:
1181:
1180:
1178:Black Energy 1
1175:
1170:
1164:
1162:
1158:
1157:
1155:
1154:
1149:
1144:
1139:
1133:
1131:
1127:
1126:
1124:
1123:
1118:
1113:
1107:
1105:
1101:
1100:
1098:
1097:
1092:
1087:
1082:
1076:
1074:
1070:
1069:
1067:
1066:
1061:
1056:
1051:
1046:
1041:
1035:
1033:
1029:
1028:
1026:
1025:
1019:
1017:
1013:
1012:
1010:
1009:
1004:
999:
994:
988:
986:
982:
981:
979:
978:
973:
967:
965:
958:
952:
951:
949:
948:
942:
936:
933:Shatter attack
929:
927:
919:
918:
916:
915:
910:
905:
899:
897:
896:Hacking forums
893:
892:
890:
889:
883:
881:
877:
876:
874:
873:
868:
863:
858:
853:
848:
843:
838:
833:
828:
823:
818:
813:
810:
807:
802:
797:
792:
786:
784:
778:
777:
775:
774:
769:
764:
759:
754:
752:PLA Unit 61398
749:
744:
739:
734:
729:
724:
723:
722:
712:
706:
704:
698:
697:
694:
693:
691:
690:
684:
678:
676:Operation Troy
672:
670:
666:
665:
663:
662:
657:
652:
647:
641:
639:
635:
634:
632:
631:
626:
620:
618:
614:
613:
611:
610:
604:
602:
598:
597:
595:
594:
589:
582:
580:
573:
569:
568:
564:
563:
557:
552:
543:
540:
539:
536:
534:
533:
526:
519:
511:
505:
504:
498:
493:
488:
477:
476:
471:
466:
461:
456:
449:
448:External links
446:
443:
442:
419:
393:
367:
344:
321:
307:
293:
282:
271:
245:
244:
242:
239:
238:
237:
232:
225:
222:
195:
192:
161:Task Scheduler
108:
107:
104:
100:
99:
96:
92:
91:
90:
89:
86:
79:
76:
69:
62:
59:
56:
49:
46:
39:
30:
29:Technical name
26:
25:
15:
13:
10:
9:
6:
4:
3:
2:
1277:
1266:
1263:
1261:
1258:
1256:
1253:
1252:
1250:
1231:
1228:
1226:
1223:
1221:
1218:
1217:
1215:
1211:
1205:
1202:
1200:
1197:
1195:
1192:
1191:
1189:
1185:
1179:
1176:
1174:
1171:
1169:
1166:
1165:
1163:
1159:
1153:
1150:
1148:
1145:
1143:
1140:
1138:
1135:
1134:
1132:
1128:
1122:
1119:
1117:
1114:
1112:
1109:
1108:
1106:
1102:
1096:
1093:
1091:
1088:
1086:
1083:
1081:
1078:
1077:
1075:
1071:
1065:
1062:
1060:
1057:
1055:
1052:
1050:
1047:
1045:
1042:
1040:
1037:
1036:
1034:
1030:
1024:
1021:
1020:
1018:
1014:
1008:
1005:
1003:
1000:
998:
995:
993:
990:
989:
987:
983:
977:
974:
972:
969:
968:
966:
962:
959:
957:
953:
946:
943:
940:
937:
934:
931:
930:
928:
924:
920:
914:
911:
909:
906:
904:
901:
900:
898:
894:
888:
885:
884:
882:
878:
872:
869:
867:
864:
862:
859:
857:
854:
852:
849:
847:
844:
842:
839:
837:
834:
832:
829:
827:
824:
822:
819:
817:
814:
811:
808:
806:
803:
801:
798:
796:
793:
791:
788:
787:
785:
783:
779:
773:
770:
768:
767:World of Hell
765:
763:
760:
758:
755:
753:
750:
748:
745:
743:
740:
738:
735:
733:
730:
728:
725:
721:
718:
717:
716:
713:
711:
708:
707:
705:
703:
699:
688:
685:
682:
679:
677:
674:
673:
671:
667:
661:
658:
656:
653:
651:
648:
646:
643:
642:
640:
636:
630:
627:
625:
622:
621:
619:
615:
609:
606:
605:
603:
599:
593:
590:
587:
584:
583:
581:
577:
574:
570:
562: →
561:
558:
556:
553:
551:
548:←
547:
546:
541:
532:
527:
525:
520:
518:
513:
512:
509:
502:
501:dns-ok.gov.au
499:
497:
494:
492:
489:
487:
484:
483:
482:
481:
475:
472:
470:
467:
465:
462:
460:
457:
455:
452:
451:
447:
430:
423:
420:
407:
403:
397:
394:
382:
378:
371:
368:
355:
348:
345:
332:
325:
322:
317:
311:
308:
303:
297:
294:
291:
286:
283:
280:
275:
272:
260:. Trend Micro
259:
253:
251:
247:
240:
236:
233:
231:
228:
227:
223:
221:
218:
213:
209:
206:", add rogue
205:
201:
193:
191:
189:
184:
182:
178:
174:
169:
164:
162:
156:
154:
150:
146:
142:
138:
133:
131:
127:
123:
119:
115:
105:
101:
97:
93:
87:
84:
80:
77:
74:
70:
67:
63:
60:
57:
54:
50:
47:
44:
41:Trojan.Zlob (
40:
37:
33:
32:
31:
27:
22:
19:
1141:
1121:Sony rootkit
887:Bluehell IRC
856:Dan Kaminsky
851:Sven Jaschan
479:
478:
433:. Retrieved
422:
410:. Retrieved
396:
384:. Retrieved
381:Spyware Loop
380:
370:
358:. Retrieved
347:
335:. Retrieved
324:
310:
296:
285:
274:
262:. Retrieved
197:
185:
165:
157:
153:MS Antivirus
134:
122:Trojan horse
117:
113:
111:
64:TROJ_ZLOB. (
18:
1039:SQL Slammer
861:Samy Kamkar
782:Individuals
747:Level Seven
710:Ac1db1tch3z
689:(2008โ2010)
588:(2003โ2006)
360:26 November
337:26 November
333:. CNET News
264:26 November
118:Trojan.Zlob
114:Zlob Trojan
66:Trend Micro
1249:Categories
926:discovered
913:darksun.ws
908:unkn0wn.eu
816:Lil Hacker
762:ShadowCrew
687:WebcamGate
586:Titan Rain
241:References
204:DNSChanger
1220:Conficker
1199:Agent.btz
727:Avalanche
715:Anonymous
572:Incidents
496:TSG Forum
491:SWI Forum
137:popup ads
73:Kaspersky
36:Microsoft
1225:Koobface
1204:Mariposa
1152:Stration
1147:Clickbot
1111:PGPCoder
1059:Graybird
997:Code Red
971:ILOVEYOU
945:sslstrip
903:ryan1918
880:Darknets
871:Stakkato
809:Digerati
805:Dshocker
772:Sandworm
742:GhostNet
555:Timeline
224:See also
212:registry
53:F-Secure
43:Symantec
1230:Waledac
1137:Rustock
1064:Blaster
1044:Welchia
976:Pikachu
956:Malware
826:camZero
404:. U.S.
386:28 July
177:malware
173:ActiveX
145:spyware
130:ActiveX
120:, is a
106:Spyware
103:Subtype
98:Malware
1255:Adware
1194:Asprox
1095:Mydoom
1090:Sasser
1085:NetSky
1023:Simile
947:(2009)
941:(2008)
935:(2002)
841:diabl0
836:Cyxymu
831:Coolio
800:SilenZ
702:Groups
435:6 June
431:. CNET
412:6 June
200:RSPlug
1168:Storm
1080:Bagle
1054:Gruel
1049:Sobig
1002:Nimda
790:AKill
737:0x1fe
560:2010s
550:1990s
126:codec
83:Avira
1213:2009
1187:2008
1173:ZeuS
1161:2007
1142:ZLOB
1130:2006
1116:Samy
1104:2005
1073:2004
1032:2003
1016:2002
1007:Klez
985:2001
964:2000
821:BadB
732:GNAA
669:2009
638:2008
617:2007
601:2005
579:2004
437:2012
414:2012
388:2013
362:2007
339:2007
266:2007
181:Java
168:spam
112:The
95:Type
24:Zlob
757:RBN
406:FBI
217:FBI
208:DNS
1251::
379:.
249:^
530:e
523:t
516:v
439:.
416:.
390:.
364:.
341:.
318:.
304:.
268:.
85:)
75:)
68:)
55:)
45:)
38:)
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.