Trojan posing as Codecs

Published: 2007-04-22
Last Updated: 2007-04-22 00:33:00 UTC
by Koon Yaw Tan (Version: 1)
0 comment(s)
One of readers (Gary) has come across a forum with posting on free porn movies links:
http :// free-bdsm-movies. info/movies/1270174.avi
(Resolves to

However, clicking on the link will open to another site in an iFrame:
http : //www.
(Resolves to

The page has HTML code that checks for the presence of a Trojan (Zlob.Trojan). If it is not found, it will display a page to tell the viewer that the movie cannot be played and to download a "missing Video ActiveX Object".

The "activex object" link is
http: // www.
(Resolves to

Note: - is a known source of evil (

Not surprising, the downloaded file is actually a Trojan. Positive scan result from VirusTotal:

AntiVir 04.20.2007 DR/Zlob.Gen
AVG 04.20.2007 Downloader.Zlob.GG
BitDefender 7.2 04.21.2007 Trojan.Downloader.Zlob.RX
eSafe 04.19.2007 suspicious Trojan/Worm
Fortinet 04.21.2007 W32/Zlob.BRI!tr.dldr
Ikarus T3.1.1.5 04.20.2007 Trojan-Downloader.Win32.Zlob.bpg
Kaspersky 04.21.2007 Trojan-Downloader.Win32.Zlob.bqt
McAfee 5014 04.20.2007 New
Sophos 4.16.0 04.20.2007 Troj/Zlob-Gen
TheHacker 04.15.2007 Trojan/Downloader.Zlob.bpl
Webwasher-Gateway 6.0.1 04.21.2007 Trojan.Zlob.Gen
0 comment(s)


Diary Archives