Home / malware W32.Zorenium
First posted on 17 June 2014.
Source: SymantecAliases :
There are no other names known for W32.Zorenium.
Explanation :
When the worm is executed, it creates the following file:
%Windir%\unt32.exe
Next, the worm creates the following registry entries so that it runs every time Windows starts: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "Explorer.exe %Windir%\unt32.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Windows Service Manager" = "%Windir%\unt32.exe"
The worm then connects to the following remote locations:[http://]208.64.38.55:80/procres[REMOVED][http://]208.64.38.55:80/Logi[REMOVED][http://]208.64.38.55:80/Regist[REMOVED]
The worm may then perform the following actions:Install a keylogger to steal login credentials from online payment and gaming servicesDownload and execute filesEnd antivirus and administration processesUse the compromised computer to perform distributed denial-of-service attacksUndertake port scansThe worm then emails itself with the following characteristics:
Subject:
RE:
Message body:
"here is your requested facebook chat beta invite"
Attachment:
Computer.exe
Attachment size:
1MBLast update 17 June 2014
