Win32/Zalup [Threat Name] go to Threat

Win32/Zalup.AA [Threat Variant Name]

Category trojan
Size 25600 B
Detection created Jun 16, 2008
Detection database version 3189
Aliases P2P-Worm.Win32.Socks.ni (Kaspersky)
  W32.Mandaph (Symantec)
  Backdoor:Win32/Koceg (Microsoft)
Short description

Win32/Zalup.AA is a trojan that steals passwords and other sensitive information. The trojan can send the information to a remote machine.

Installation

When executed, the trojan creates the following files:

  • %windir%\­system32\­drivers\­services.exe (25600 B)
  • %userprofile%\­svchost.exe (25600 B)
  • %startup%\­userinit.exe (25600 B)
  • %userprofile%\­explorer.dll (4608 B)
  • %windir%\­system32\­explorer.dll (4608 B)
  • %temp%\­%number1%.tmp

The %number1% represents a random number.


In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "[system]" = "%windir%\­system32\­drivers\­services.exe"
    • "winlogon" = "%userprofile%\­svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "[system]" = "%windir%\­system32\­drivers\­services.exe"
    • "winlogon" = "%userprofile%\­svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­Schedule]
    • "ImagePath" = "%windir%\­system32\­drivers\­services.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Userinit" = "%windir%\­system32\­userinit.exe,%windir%\­system32\­drivers\­services.exe"

The following Registry entry is set:

  • [HKEY_CLASSES_ROOT\­exefile\­shell\­open]
    • "command" = "%command%"

The %command% is one of the following strings:

  • %windir\­system32\­drivers\­services.exe "%1" %*
  • %userprofile%\­svchost.exe "%1" %*

Libraries with the following names are injected into all running processes:

  • explorer.dll
Information stealing

The trojan collects the following information:

  • computer IP address
  • opened TCP port number
  • e-mail addresses
  • FTP account information

The trojan can send the information to a remote machine.


The trojan contains a list of (1) URLs. The HTTP protocol is used.

Other information

The trojan acquires data and commands from a remote computer or the Internet. The HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files

The trojan hooks the following Windows APIs:

  • recv (ws2_32.dll)
  • WSARecv (ws2_32.dll)
  • WSASend (ws2_32.dll)
  • send (ws2_32.dll)

The trojan executes the following commands:

  • netsh firewall add allowedprogram %filepath% sys enable
  • wscript.exe -b %temp%\­%number1%.tmp

The performed command creates an exception in the Windows Firewall.


The trojan opens a random port.


The trojan may create the following files:

  • %temp%\­stop
  • %temp%\­r43q34.tmp
  • %temp%\­mpz.tmp
  • %temp%\­%number2%.tmp

The %number2% represents a random number.

Please enable Javascript to ensure correct displaying of this content and refresh this page.