Home / malware Trojan:Win32/Zapis.A
First posted on 20 February 2015.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win32/Zapis.A.
Explanation :
Threat behavior
Installation
This threat usually arrives a spam email attachment, as shown below:
The attachment has an embedded executable file. It uses a file name in the following format:
- invoice_DD.MM.YYYY.rtf, for example invoice_10_02_2015.rtf
The malware payload is run when the attachment is opened.
Payload
Downloads other malware
This malware can download other malware onto your PC.
It connects to the following legitimate websites to download installer packages that it needs to perform its routines:
- download.microsoft.com/download/0/6/1/061F001C-8752-4600-A198-53214C69B51F/dotnetfx35setup.exe
- download.microsoft.com/download/7/3/4/7345bb7d-0b07-40e8-9480-5b8c55b9c8b7/WindowsXP-KB926139-v2-x86-ENU.exe
It then connects to the following URL to download other malware:
- hanbunko.org/wp/wp-content/themes/
.exe
We have seen this threat download TrojanDownloader:Win32/Dofoil.T.
The trojan saves the files it downloads in the following location:
- %ALLUSERSPROFILE%\Microsoft-KB
.exe, for example %ALLUSERSPROFILE%\Microsoft-KB520440.exe
Additional information
We have also seen this threat connect to the following URL to update its hit count:
- www.easycounter.com/counter.php
Analysis by Donna Sibangan
Symptoms
The following can indicate that you have this threat on your PC:
- You have these files:
%ALLUSERSPROFILE%\Microsoft-KB.exe, for example %ALLUSERSPROFILE%\Microsoft-KB520440.exe Last update 20 February 2015
