{
	"id": "28251695-7fbc-4a2f-97f5-def84cd7b2be",
	"created_at": "2026-04-06T00:12:40.758087Z",
	"updated_at": "2026-04-10T13:11:54.104236Z",
	"deleted_at": null,
	"sha1_hash": "6180316378ddb1c35aab542ac33c442591d0d5ff",
	"title": "Zlob trojan",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 90911,
	"plain_text": "Zlob trojan\r\nBy Contributors to Wikimedia projects\r\nPublished: 2007-08-05 · Archived: 2026-04-05 21:14:55 UTC\r\nFrom Wikipedia, the free encyclopedia\r\nZlob\r\nMalware details\r\nTechnical name\r\nTrojanDownloader:Win32/Zlob (Microsoft)\r\nTrojan.Zlob (Symantec)\r\nTrojan.Zlob.[Letter] (Symantec)\r\nTrojan-Downloader:W32/Zlob (F-Secure)\r\nWin32.Trojandownloader.Zlob (F-Secure)\r\nTrojan-Downloader.Win32.Zlob (F-Secure)\r\nTROJ_ZLOB.[Letter] (Trend Micro)\r\nTrojan-Downloader.Win32.Zlob.[letter] (Kaspersky)\r\nDownloader.Win32.Zlob.[Letter] (Kaspersky)\r\nTR/Dldr.Zlob.Gen (Avira)\r\nTR/Drop.Zlob.[Letter] (Avira)\r\nType Malware\r\nSubtype Spyware\r\nThe Zlob Trojan, identified by some antiviruses as Trojan.Zlob, is a Trojan horse which masquerades as a\r\nrequired video codec in the form of ActiveX. It was first detected in late 2005, but only started gaining attention in\r\nmid-2006.[1]\r\nOnce installed, it displays popup ads which appear similar to real Microsoft Windows warning popups, informing\r\nthe user that their computer is infected with spyware. Clicking these popups triggers the download of a fake anti-spyware program (such as Virus Heat and MS Antivirus (Antivirus 2009)) in which the Trojan horse is hidden.[1]\r\nThe Trojan has also been linked to downloading atnvrsinstall.exe which uses the Windows Security shield icon to\r\nlook as if it is an anti-virus installation file from Microsoft. Having this file run can wreak havoc on computers\r\nand networks. One typical symptom is random computer shutdowns or reboots with random comments.[further\r\nexplanation needed]\r\n This is caused by the programs using Task Scheduler to run a file called \"zlberfker.exe.\"\r\nhttps://en.wikipedia.org/wiki/Zlob_trojan\r\nPage 1 of 3\n\nProject Honeypot Spam Domains List (PHSDL)[2]\r\n tracks and catalogs spam domains. Some of the domains on the\r\nlist are redirects to porn sites and various video watching sites that show a number of online videos. Playing\r\nvideos on these sites activates a request to download an ActiveX codec which is malware. It prevents the user\r\nfrom closing the browser in the usual manner. Other variants of Zlob Trojan installation come in the form of a\r\nJava cab file masquerading as a computer scan.[3]\r\nThere is evidence that the Zlob Trojan might be a tool of the Russian Business Network[4] or at least of Russian\r\norigin.[5]\r\nRSPlug, DNSChanger, and other variants\r\n[edit]\r\nThe group that created Zlob has also created a Mac Trojan with similar behaviors (named RSPlug).[6] Some\r\nvariants of the Zlob family, like the so-called \"DNSChanger\", add rogue DNS name servers to the registry of\r\nWindows-based computers[7] and attempt to hack into any detected router to change the DNS settings, potentially\r\nre-routing traffic from legitimate web sites to other suspicious web sites.[8] DNSChanger in particular gained\r\nsignificant attention when the U.S. FBI announced it had shut down the source of the malware in late November\r\n2011.[9] However, as there were millions of infected computers which would lose access to the Internet if the\r\nmalware group's servers were shut down, the FBI opted to convert the servers into legitimate DNS servers. Due to\r\ncost concerns, however, these servers were set to shut down on the morning of 9 July 2012, which could cause\r\nthousands of still-infected computers to lose Internet access.[10] This server shutdown did occur as planned,\r\nalthough the expected issues with infected computers did not materialize. By the date of the shutdown, there were\r\nmany free of charge programs available that removed the Zlob malware effectively and without requiring great\r\ntechnical knowledge. The malware did however remain in the wild and as at 2015 could still be found on\r\nunprotected computers. The malware was also self-replicating, something the FBI did not fully understand, and\r\nthe servers that were shut down may have only been one of the initial sources of the malware. Current antivirus\r\nprograms are very effective at detecting and removing Zlob and its time in the wild appears to be coming to an\r\nend.[citation needed][needs update]\r\nSearch-daily Hijacker\r\nTrojan.Win32.DNSChanger\r\n1. ^ Jump up to: a\r\n \r\nb\r\n \"The ZLOB Show: Trojan Poses as Fake Video Codec, Loads More Threats\". Trend\r\nMicro. Retrieved 26 November 2007.\r\n2. ^ Project Honeypot Spam Domains List\r\n3. ^ PHSDL Zlob Trojan Forum Spam Hijacking Attempt Documentation\r\n4. ^ \"RBN – Fake Codecs\".\r\n5. ^ \"TCP – Проект Киберкультуры | Zlob Team\".\r\n6. ^ Tung, Liam (8 November 2007). \"Multiplying Mac Trojan not epidemic yet\". CNET News. Retrieved 26\r\nNovember 2007.\r\n7. ^ Podrezov, Alexey (7 November 2005). \"F-Secure Virus Descriptions: DNSChanger\". F-Secure\r\nCorporation. Retrieved 26 November 2007.\r\nhttps://en.wikipedia.org/wiki/Zlob_trojan\r\nPage 2 of 3\n\n8. ^ Vincentas (9 July 2013). \"Zlob Trojan in SpyWareLoop.com\". Spyware Loop. Retrieved 28 July 2013.\r\n9. ^ \"International Cyber Ring That Infected Millions of Computers Dismantled\". U.S. FBI. 9 November\r\n2011. Retrieved 6 June 2012.\r\n10. ^ Kerr, Dara (5 June 2012). \"Facebook warns users of the end of the Internet via DNSChanger\". CNET.\r\nRetrieved 6 June 2012.\r\nList of ActiveX Zlob Trojan fake codecs and other misleading Zlob-installers\r\nListing of 113 fake codec domains\r\nFlash's Security Blog, a blog listing fake codecs and rogue security software.\r\nS!Ri.URZ, SmitfraudFix.\r\nZlob/VideoAccess/Trojan.Win32.DNSChanger – malekal.com (fr)\r\nAnti Zlob Malware Forums\r\nGeeks to Go Forum\r\nSWI Forum Archived 4 December 2008 at the Wayback Machine\r\nTSG Forum Archived 4 December 2007 at the Wayback Machine\r\ndns-ok.gov.au An Australian Government website, which has the diagnostic ability to determine if your\r\ncomputer is infected by DNSChanger.\r\nSource: https://en.wikipedia.org/wiki/Zlob_trojan\r\nhttps://en.wikipedia.org/wiki/Zlob_trojan\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://en.wikipedia.org/wiki/Zlob_trojan"
	],
	"report_names": [
		"Zlob_trojan"
	],
	"threat_actors": [],
	"ts_created_at": 1775434360,
	"ts_updated_at": 1775826714,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6180316378ddb1c35aab542ac33c442591d0d5ff.pdf",
		"text": "https://archive.orkl.eu/6180316378ddb1c35aab542ac33c442591d0d5ff.txt",
		"img": "https://archive.orkl.eu/6180316378ddb1c35aab542ac33c442591d0d5ff.jpg"
	}
}