Win32/Trustezeb [Threat Name] go to Threat

Win32/Trustezeb.H [Threat Variant Name]

Category trojan
Size 59392 B
Detection created Aug 01, 2014
Detection database version 10189
Aliases Trojan.Win32.Inject.rxmk (Kaspersky)
  Trojan:Win32/Coremhead!gmb (Microsoft)
  Trojan.Zbot (Symantec)
  Boxed.DEZ.trojan (AVG)
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

When executed the trojan copies itself in the following locations:

  • %temp%\­%variable1%.pre
  • %appdata%\­%variable2%\­%variable3%%variable4%.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable5%%variable4%" = "%appdata%\­%variable2%\­%variable3%%variable4%.exe"

The trojan launches the following processes:

  • svchost.exe

The trojan creates and runs a new thread with its own code within these running processes.


After the installation is complete, the trojan deletes the original executable file.

Information stealing

The trojan collects the following information:

  • user name
  • computer name
  • video controller type
  • operating system version
  • language settings
  • CPU information
  • list of disk devices and their type
  • installed antivirus software
  • information about the operating system and system settings

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (12) URLs. The HTTP, FTP protocol is used.


The trojan generates various URL addresses.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • uninstall itself
  • shut down/restart the computer
  • send the list of running processes to a remote computer

Please enable Javascript to ensure correct displaying of this content and refresh this page.