Home / malwarePDF  

Trojan:Win32/Zues.A


First posted on 21 February 2009.
Source: SecurityHome

Aliases :

Trojan:Win32/Zues.A is also known as Also Known As:Backdoor.Win32.Agent.faf (Kaspersky), Trojan.Crypt.XPACK.Gen (Sunbelt Software), TROJ_ZUES.A (Trend Micro).

Explanation :

Trojan:Win32/Zues.A is a trojan that connects to a certain website to possibly download and install other files. It may also gather information about the system.

Symptoms
System ChangesThe following system changes may indicate the presence of this malware:

  • The presence of the following files in "%windir%help":
    zeus.exe
    adprop1.hlp
    adprop2.hlp
    adprop3.hlp
  • The presence of the following registry modifications:
    Added value: "zeus"
    With data: "%windir%helpzeus.exe"
    To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun


    • Trojan:Win32/Zues.A is a trojan that connects to a certain website to possibly download and install other files. It may also gather information about the system.

    Installation
    Upon execution, Trojan:Win32/Zues.A created the following files in the "%windir%help" folder:
  • zeus.exe - also detected as Trojan:Win32/Zues.A
  • adprop1.hlp - file containing malware settings
  • adprop2.hlp - file containing malware settings
    • It modifies the system registry so that "zeus.exe" runs every time Windows starts: Adds value: "zeus"
    With data: "%windir%helpzeus.exe"
    To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun It deletes the following file, if it exists:
    %windir%helpadprop0.hlp When "zeus.exe" is run, it drops the following file in the "%windir%help" folder:
    adprop3.hlp It also copies itself in the system under an already existing folder using a random file name, for example:
    %windir%Connection Wizardfoh.exe It then modifies the system registry so that its dropped copy runs every time Windows starts: Adds value: "spad"
    With data: "%windir%connection wizardfoh.exe"
    To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun It also creates the following registry keys:
  • HKCUSoftware agrevenue
  • HKCUSoftwarezeus


    • Payload
    Connects to a WebsiteTrojan:Win32/Zues.A checks for Internet connection by contacting "www.microsoft.com". If Internet connection is detected, it then connects to the following URL:
    zeus.<removed>.com/log-bin/lunch_install.php?aff_id=%CXT1%&lunch_id=%CXT2%&maddr=%MAC%&action=install where "CXT1" is content of the file "adprop1.hlp", "CXT2" is content of the file "adprop2.hlp" and "MAC" is the MAC address of the system's network card. Downloads FilesTrojan:Win32/Zues.A attempts to connect to and download files from "zeus.<removed>.com", also using the same parameters CTX1, CTX2, and MAC. It may also contact or download files from:
  • run.<removed>revenue.net
  • drag.<removed>revenue.net
    • Gathers System InformationTrojan:Win32/Zues.A is capable of performing certain actions on the system, such as the following:
  • Read the contents of the system file "autoexec.bat"
  • Read the system's phone book details
  • Enumerate program windows
  • Enumerate installed programs
  • Attempt to check if the following programs are active on the system, presumably to avoid detection:
    Olly Debugger
    Wireshark
    Ethereal Network Analyzer


    • Analysis by Patrik Vicol

    Last update 21 February 2009

     

    TOP

    Malware :

    Family: