New Zlob Rogue - VirusTrigger

Today a new Zlob infection has surfaced from the run of the mill codec site infections. This time around it’s called VirusTrigger. It’s the usual style of infection where you are told to install a codec to be able to watch a video. Its spread via various vectors, mainly porn sites, forums and downloader’s. If you happen to have gotten infected with this beast, don't worry Prevx CSI will be able to remove this threat.

The WebMediaViewer is the Codec component that you install which in turn downloads the Rogue.

Below is a list of filenames which this threat drops on the system in various areas.

• C:\Program Files\WebMediaViewer
• browseu.exe 28139 bytes
• browseul.dll 37906 bytes
• hpmom.exe 28018 bytes
• hpmon.exe 70132 bytes
• hpmun.dll 30381 bytes
• hpmun.exe 28491 bytes
• myd.ico 13942 bytes
• mym.ico 13942 bytes
• myp.ico 13942 bytes
• myv.ico 13942 bytes
• ot.ico 13942 bytes
• qttask.exe 53492 bytes
• qttaskm.exe 27540 bytes
• qttasku.exe 28772 bytes
• ts.ico 13942 bytes
• C:\WINDOWS\system32
• algg.exe 20992 bytes
• wakjs.dll 15872 bytes
• C:\WINDOWS\system32\512686
• 512686.dll 15872 bytes

As you can see the file 512686.dll, is a backup for wakjs.dll so if you try to delete it, it will replace it with the backup.

Here is the end result of this exercise

• C:\Program Files\VirusTriggerBin
• uninst.exe 37730 bytes
• VirusTriggerBin.exe 1687552 bytes
• VirusTriggerBinWarning.dll 73728 bytes

The following registry entries are created to complete the installation of VirusTrigger:

• HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://windiwsfsearch.com
• HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://windiwsfsearch.com
• HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://windiwsfsearch.com
• HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://windiwsfsearch.com/ie6.html
• HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://windiwsfsearch.com
• HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://windiwsfsearch.com
• HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://windiwsfsearch.com/ie6.html
• HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://windiwsfsearch.com
• HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://windiwsfsearch.com
• HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://windiwsfsearch.com
• BHO: (no name) - {64466B8E-20A7-4A4A-AFF4-AAD9CA68B52C} - C:\Program Files\WebMediaViewer\hpmun.dll
• BHO: VirusTriggerBinWarningBHO Class - {096CBA44-4A4C-49f7-8903-1E75550ABCB7} - C:\Program Files\VirusTriggerBin\VirusTriggerBinWarning.dll
• BHO: 512686 helper - {51B15F5A-E98B-4658-B9CB-9307B74773A7} - C:\WINDOWS\system32\512686\512686.dll
• Toolbar: Browser Toolbar - {2EEF94DF-75F6-42E9-B7FB-AF5A170A6E2E} - C:\Program Files\WebMediaViewer\browseul.dll
• HKCU\..\Run: [VirusTriggerBin] "C:\Program Files\VirusTriggerBin\VirusTriggerBin.exe"
• HKCU\..\Run: [wblogon] C:\WINDOWS\system32\algg.exe
• HKLM\..\Policies\Explorer\Run: [QuickTime Task] C:\Program Files\WebMediaViewer\qttask.exe
• HKLM\..\Policies\Explorer\Run: [hptray] C:\Program Files\WebMediaViewer\hpmon.exe
• Extra button: (no name) - {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - http://www.ietoolexpress.com/redirect.php
• Extra 'Tools' menuitem: IExplorer Security - {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - http://www.ietoolexpress.com/redirect.php
• SharedTaskScheduler: chaplin - {257f6f44-2c64-46bb-acb4-55f9b9e0ae08} - C:\WINDOWS\system32\wakjs.dll

And this is how the beast looks: