My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Trojan.Zapchas.F

MEDIUM
HIGH
914 976 bytes
(Backdoor.IRC.Zapchast, Trojan.Dropper, IRC/Generic Flooder, Backdoor.IRC.Cloner.ae#1, Backdoor.WinBot)

Symptoms

  • Presence of a file named svchost.exe in the “C:\WINDOWS\system\” directory (the malware does not detect if you have windows installed in a different directory, in which case the above mentioned directory will be created) with a size of 2 000 187 bytes.
  • Presence of sup.bat in “C:\WINDOWS\system\” with size 28 bytes
  • Presence of the directories “download”, “logs” and “sounds” in the “C:\WINDOWS\system\” directory.
  • Presence of a registry key with the name “GNP Generic Host Process” with the value “C:\WINDOWS\system\svchost.exe” in the registry at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  • svchost.exe requesting connection on port 6667 (if you have a personal firewall)

Removal instructions:

Please let BitDefender disinfect / delete your files.

Analyzed By

Attila-Mihaly Balazs, virus researcher

Technical Description:

The malware comes as a self extract rar file masked as a screen saver with the name Cristina.scr having a size of 816 160 bytes. Executing this file will extract 15 files with the total size of 2 000 187 bytes in the “C:\WINDOWS\system\” directory (in case you don't have windows installed in the default directory, this will be created). It will add the program “C:\WINDOWS\system\svchost.exe” in the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run registry key with the name “GNP Generic Host Process” which was extracted from the archive. This is a customized version of the mIRC program, which will connect to a predefined IRC channel with a nick randomly chosen from a list of 313 predefined names and hide its main window.
The modified mIRC executable (svchost.exe) is infected with the Win32.Parite.B which will be activated when the executable is launched. This will try to infect other executables which may lead to random programs crashing.

The infected computers connect to the Undernet IRC network, join a channel and execute commands from some users.

 


These commands can be used to execute any program the controller wishes and perform other IRC related operations (joining channels, changing nicks, etc.)