Zlob is a backdoor Trojan that grants attackers control over the system, and allows them to perform malicious actions on the compromised computer – change essential system settings and modify certain files. However, the most well-known function of Zlob is to spread dangerous rogue anti-spyware parasites, such as SpyLocked and SpyLocker. Zlob is closely connected to these threats, and it is safe to say that if you detect Zlob on your system, these other parasites are almost certainly lurking somewhere on your PC, and vice versa.
Zlob installs on infected system in very specific way : it pretends being an ActiveX driver or a video codec that is required for displaying video. After you download that codec and install it, the video fails to run anyways, but then it is too late and PC is already infected. That is why it might be detected as Zlob.Mediacodec or similar by some antiviruses(Wikipedia).
The first version of Zlob Trojan was released in 2005 and it gained popularity together with rise of rogue antiviruses: its install technique is not very subtile one and could rise some suspicion and scans with anti-malware programs. Thus rogues were perfect way to make fast money from infection and even got credibility for being able to detect an infection very fast.
Although Trojan.Zlob comes under several versions or names, some of them are incorrect. For example, Zlob.Sunporn originates from the way non-rootkit version of Zlob trojan installs in the system :
It creates a subfolder in C:\Programs and Files\ from a predefined list of names. One of these names is SunPorn – a porn site, that has its own downloader. Other names include various codec names (like silver codec, qualtiy codec, perfect codec, pcodec), or other names related to videos software. Although Zlob is distributed through fake porn sites, SunPorn is not one of the sites distributing this malware.
Some versions were used in the fake detections of the rogue antiviruses themselves. For example, Trojan.Zlob.Porn.Ad. These detections can be discarded : rogue antiviruses do not detect actual parasites and you will have to re-scan with actual anti-malware or antivirus program.
Zlob is closely related to DNSChanger malware, which changed DNS settings and thus made PC show malicious websites instead of legitimate ones. This malicious network was dismantled in 2011 and the DNS servers were shut down.
There is little chances to get infected with this malware today. There are some fake torents and pages active, but this parasite is easily detected and blocked with antivirus tools. The more risk is from the Mac version of the trojan using similar approach – RSPlug, however each of these parasites should be successfully removed with anti-virus or anti-malware scan.
Automatic Malware removal tools