Friday, April 18, 2008

Zlob

Zlob fake codec has been update. It drops the following file:

%SYSTEM%\bubbj.dll

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{db763ed8-100a-481b-8913-50a2f41dcdc3}"="exegeses"

It also installs Toolbar, BHO, VirusHeat Rogue software...

This bubbj.dll filename has already been used last year by this infection. This time the CLSID is different.

Use SmitfraudFix to remove the infection.