Home / malware

PDF

Backdoor.Zelug

First posted on 15 December 2015.
Source: Symantec

Aliases :

There are no other names known for Backdoor.Zelug.

Explanation :

Once executed, the Trojan creates the following files:
%AppData%\spoolsv.exe[PATH TO THREAT]\update.exe
The Trojan creates the following registry entries so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\"winx" = "%AppData%\spoolsv.exe"HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\"winx" = "%AppData%\spoolsv.exe"
The Trojan then opens a back door on the compromised computer, and connects to the following remote location:
motorola.zyns.com
Next, the Trojan gathers the following information from the compromised computer and sends it to the remote location:
IP addressHostnameUser nameOperating system version
The Trojan may then perform the following actions:
Update itselfList available drivesList filesDownload, execute, read, write, and delete filesCreate remote shell

Last update 15 December 2015

 

TOP