Win32/TrojanDownloader.Zurgop [Threat Name] go to Threat

Win32/TrojanDownloader.Zurgop.CB [Threat Variant Name]

Category trojan
Size 263168 B
Detection created Jan 21, 2016
Detection database version 12902
Short description

Win32/TrojanDownloader.Zurgop.CB is a trojan which tries to download other malware from the Internet.

Installation

When executed, the trojan copies itself in some of the the following locations:

  • %appdata%\­%variable1%\­%variable2%.exe
  • %temp%\­%variable1%\­%variable2%.exe

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable3%" = "%malwarefilepath%"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­Run]
    • "%variable3%" = "%%malwarefilepath%"

The trojan may create the following files:

  • %startup%\­%variable4%.lnk

The file is a shortcut to a malicious file.


This causes the trojan to be executed on every system start.


A string with variable content is used instead of %variable1-4% .


The trojan quits immediately if the executable file path contains one of the following strings:

  • sample

The trojan quits immediately if any of the following applications is detected:

  • Sandboxie

The trojan terminates its execution if it detects that it's running in a specific virtual environment.


The trojan launches the following processes:

  • explorer.exe

The trojan creates and runs a new thread with its own code within these running processes.


After the installation is complete, the trojan deletes the original executable file.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (13) URLs. The HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • collect information about the operating system used
  • send gathered information

The trojan checks for Internet connectivity by trying to connect to the following servers:

  • http://www.msn.com

Please enable Javascript to ensure correct displaying of this content and refresh this page.