Home / malware Backdoor.ZXShell
First posted on 21 February 2014.
Source: SymantecAliases :
There are no other names known for Backdoor.ZXShell.
Explanation :
When the Trojan is executed, it checks the following registry subkey for any entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\zxplug
If this registry subkey has entries, the Trojan assumes that they are DLL files and loads them.
Next, the Trojan connects to the following remote location to retrieve configuration details:
newss.effers.com
The Trojan then saves these configuration details in the following file:
%Temp%\~tmp
The Trojan then opens a back door on the compromised computer on an arbitrary TCP port.
The Trojan may then perform the following actions:
Add and delete usersChange user passwordsExecute processes with the credentials of another userDump process memoryStart a SOCKS proxyDump system passwords from memoryOpen a root shellTake screenshotsExecute arbitrary commandsPort map other computersGather information about the compromised computer (operating system, hardware, etc.)Last update 21 February 2014
