Monday, September 24, 2007

Zlob Hijacks Winsock LSP

Zlob Malware is Hijacking Winsock.

All begins with the installation of the fake software: Video ActiveX Enhancement 2.07 which installs: AntiVirGear 3.7, BHO, Alerts Popups, IEToolBar...

Now 2 files laf?.dll and laf?.ini are dropped in %SYSTEM% folder (where ? is a number from 1 to 5). Files are detected as Trojan-Downloader.Win32.Agent.doe by Kaspersky Antivirus.

HijackThis Symptoms:
O10 - Unknown file in Winsock LSP: c:\windows\system32\laf1.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\laf1.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\laf1.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\laf1.dll

Use LSPFix to remove the files. (Bleeping Computer Guide)