Win32/Dipeok [Threat Name] go to Threat

Win32/Dipeok.A [Threat Variant Name]

Category trojan
Size 500903 B
Detection created Apr 12, 2010
Detection database version 10748
Aliases Worm.Win32.Vobfus.eqxg (Kaspersky)
  BackDoor.Ddoser.267 (Dr.Web)
Short description

The trojan serves as a backdoor. It can be controlled remotely. The file is run-time compressed using WinRAR SFX .

Installation

When executed, the trojan creates the following files:

  • %userprofile%\­ztchg\­6738.AXZ (14856 B)
  • %userprofile%\­ztchg\­JavaUpdater.com (750320 B)
  • %userprofile%\­ztchg\­1584499.vbe (63 B, VBS/Starter.NAQ)
  • %userprofile%\­ztchg\­6737598.ZJG (6618758 B)
  • %userprofile%\­ztchg\­18767.PEV (278 B)
  • %userprofile%\­ztchg\­start.vbs
  • %userprofile%\­ztchg\­start.cmd

The following files are dropped:

In order to be executed on every system start, the trojan creates the following file:

  • %startup%\­ztchg\­start.lnk

The file is a shortcut to a malicious file.


In order to be executed on system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER64\­Software\­Microsoft\­Windows\­CurrentVersion\­RunOnce]
    • "ztchg" = "%userprofile%\­ztchg\­start.vbs"

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE64\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "EnableLUA" = 0
  • [HKEY_CURRENT_USER64\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "DisableTaskMgr" = 1
  • [HKEY_CURRENT_USER64\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    • "NoFolderOptions" = 1
  • [HKEY_CURRENT_USER64\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "ShowSuperHidden" = 0

The trojan may delete the following Registry entries:

  • [HKEY_LOCAL_MACHINE64\­Software\­Microsoft\­Windows NT\­CurrentVersion\­SPP\­Clients]
  • [HKEY_CURRENT_USER64\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
  • [HKEY_LOCAL_MACHINE64\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
Other information

Trojan can detect presence of debuggers and other analytical tools.


The trojan quits immediately if it detects a window containing one of the following strings in its title:

  • Program Manager

The trojan quits immediately if it detects a running process containing one of the following strings in its name:

  • VboxService.exe
  • VMwaretray.exe

The trojan can create and run a new thread with its own program code within the following processes:

  • %windir%\­Microsoft.Net\­Framework\­v2.0.50727\­RegSvcs.exe
  • %windir%\­Microsoft.Net\­Framework\­v4.0.30319\­RegSvcs.exe
  • %default_web_browser%

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a URL address. The HTTP protocol is used.


It may perform the following actions:

  • download files from a remote computer and/or the Internet
  • run executable files
  • perform DoS/DDoS attacks
  • uninstall itself

The trojan may create the following files:

  • %userprofile%\­ztchg\­check.txt
  • %temp%\­%variable%.exe

A string with variable content is used instead of %variable% .


The trojan may delete the following files:

  • %startup%\­*.*

The trojan may cause BSOD.

Please enable Javascript to ensure correct displaying of this content and refresh this page.