Win32/Zimuse [Threat Name] go to Threat

Win32/Zimuse.E [Threat Variant Name]

Category trojan,worm
Size 1134592 B
Detection created May 21, 2014
Detection database version 9832
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

The trojan does not create any copies of itself.


The trojan creates the following files:

  • %temp%\­svchost.exe (212992 B)
  • %currentfolder%\­wabfiles.exe (32768 B)
  • %currentfolder%\­kbdus.dll (5632 B)
  • %currentfolder%\­kbdsl.dll (6656 B)
  • %currentfolder%\­kbdsl1.dll (6656 B)

The files are then executed.


The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Dorgel\­General]
    • "ArchiveAVI" = "%currentfolder%\­clip.avi"
    • "Device" = 0
    • "MainWndPos" = "10000,10000"
    • "MotionDetection" = 0
    • "Preview" = 0
    • "PreviewPos" = "356,443"
    • "Reconnect" = 0
    • "ReconnectTime" = 1
    • "ShowMsgBoxes" = 1
    • "TrayIcon" = 1
    • "AVIChangeInterval" = 0
    • "Capture" = 1
    • "FramesPerSecond" = 1
    • "UseAVI" = 1
  • [HKEY_CURRENT_USER\­Software\­Dorgel\­StoreEvents\­Store]
    • "CreateDirs" = 0
    • "Enable" = 1
    • "File" = "%currentfolder%\­img.jpg"
    • "Interval" = 1
    • "LogLevel" = 0
    • "Order" = 1
    • "ResetTime" = 1
    • "Type" = 1
  • [HKEY_CURRENT_USER\­Software\­Dorgel\­CaptionEvents\­TextCaption]
    • "Absolute" = 0
    • "BackColor" = 0
    • "Enable" = 1
    • "File" = ""
    • "Font" = %binaryvalue%
    • "ForeColor" = 16777215
    • "Language" = 27
    • "MaxLength" = 0
    • "Order" = 1
    • "PosHor" = 0
    • "PosVer" = 0
    • "Rotate" = 0
    • "Shadow" = 2
    • "Text" = "%username% - %F, %T"
    • "Transparent" = 1
    • "Type" = 2
Information stealing

Win32/Zimuse.E is a trojan that steals sensitive information.


The trojan is able to log keystrokes.


The trojan keeps various information in the following files:

  • %currentfolder%\­klUS.inf
  • %currentfolder%\­klSK.inf
  • %currentfolder%\­wab.inf
  • %currentfolder%\­wabcsv.inf
  • %currentfolder%\­img.jpg
  • %currentfolder%\­clip.avi
  • %currentfolder%\­record.wav
  • %currentfolder%\­ipad.inf
  • %currentfolder%\­ffp.inf

The trojan collects the following information:

  • network adapter information
  • country
  • operating system version
  • user name
  • computer name
  • the path to specific folders
  • e-mail addresses

The trojan can send the information to a remote machine. The FTP protocol is used.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (2) URLs. The HTTP, FTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • send the list of files on a specific drive to a remote computer
  • send requested files
  • capture webcam video/voice
  • capture screenshots
  • send spam
  • send gathered information

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%malwarefilepath%" = "%malwarefilepath%:*:Enabled:Microsoft Windows® security update"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­FirewallRules]
    • "{6B69306C-6062-4A9B-89A3-591F3F71A04B}" = "v2.10|Action=Allow|Active=TRUE|Dir=Out|App=%malwarefilepath%|Name=Microsoft Windows® Adobe Acrobat Reader security update for PDF files"
    • "{6392B155-9708-4BD1-974D-F654DCC084F7}" = "v2.10|Action=Allow|Active=TRUE|Dir=In|App=%malwarefilepath%|Name=Microsoft Windows® Adobe Acrobat Reader security update for PDF files"
    • "TCP Query User{C893D2C3-AB3B-4F79-86B5-40993CCC8FDE}" = "v2.0|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=%malwarefilepath%|Name=Microsoft Windows® Adobe Acrobat Reader security update for PDF files|Desc=Microsoft Windows« Adobe Acrobat Reader security update for PDF files|Edge=FALSE|"
    • "UDP Query User{5E08BA57-D285-4482-9153-0101DFD33055}" = "v2.0|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=%malwarefilepath%|Name=Microsoft Windows® Adobe Acrobat Reader security update for PDF files|Desc=Microsoft Windows« Adobe Acrobat Reader security update for PDF files|Edge=FALSE|"

The performed data entry creates an exception in the Windows Firewall program.

Please enable Javascript to ensure correct displaying of this content and refresh this page.