Backdoor.Zdoogu.F
LOW
LOW
~25 Kbytes
(Backdoor.Win32.Zdoogu.bx, BDS/Zdoogu.BX)
Symptoms
Presence of digiwet.dll in %windir%\system32
Presence of wiaservim.log in %windir%
Removal instructions:
Please let BitDefender disinfect your files.
Analyzed By
Balazs Biro, jr. virus researcher
Technical Description:
The Backdoor copies itself to %windir%\system32\digiwet.dll with the extension and executable type changed to DLL and registers the copy to start with windows using the registry key:
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders
After this it launches svchost.exe, and overwrites the image of svchost.exe in memory with its payload which does the following:
It creates a file named wiaservim.log in %windir% probably to record its activity. It connects to 78.109.29.112, from there it downloads and executes a couple of files, after this it reports back to the same IP.
The downloaded executables belong to the Backdoor.IRCBot family. With their help the compromised computer can be controlled remotely using IRC (Internet Relay Chat).
SHARE
THIS ON