Home / malware Backdoor:Win32/Zegost.AD
First posted on 03 July 2012.
Source: MicrosoftAliases :
Backdoor:Win32/Zegost.AD is also known as TROJ_SPNR.30EE12 (Trend Micro), Trojan-Spy.Win32.KeyLogger.rli (Kaspersky).
Explanation :
Backdoor:Win32/Zegost.AD is malware that drops a backdoor trojan in your computer. The backdoor trojan is detected as Backdoor:Win32/Zegost.X.
Installation
Backdoor:Win32/Zegost.AD copies itself in your computer as the following file:
%TEMP%\kbdmgr.exe
It also creates the following shortcut, which points to its copy:
<startup folder>\kbdmgr.lnk
Note: <startup folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the Startup folder for Windows XP and 2003 is '%USERPROFILE%\Start Menu\Programs\Startup'. For Windows Vista and 7, the default location is '%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'.
It also creates the following mutex:
"WuSh B- Is Running!"
Payload
Deletes security-related files
Backdoor:Win32/Zegost.AD attempts to delete Kaspersky antivirus files.
Drops another malware
Backdoor:Win32/Zegost.AD creates the following file, then injects it into the "explorer.exe" process:
%TEMP%\kbdmgr.dll
This file is detected as Backdoor:Win32/Zegost.X.
Analysis by Patrik Vicol
Last update 03 July 2012
