Win32/Zlader [Threat Name] go to Threat

Win32/Zlader.D [Threat Variant Name]

Category trojan
Size 182784 B
Detection created Dec 12, 2012
Detection database version 10007
Aliases Trojan-Ransom.Win32.Foreign.dhmf (Kaspersky)
Short description

Win32/Zlader.D is a trojan which tries to download other malware from the Internet.

Installation

When executed, the trojan copies itself in some of the the following locations:

  • %appdata%\­%variable1%\­%variable1%.%variable2%
  • %personal%\­%variable1%\­%variable1%.%variable2%
  • %localappdata%\­%variable1%\­%variable1%.%variable2%
  • %templates%\­%variable1%\­%variable1%.%variable2%

A string with variable content is used instead of %variable1% .


The %variable2% is one of the following strings:

  • .exe
  • .com
  • .pif
  • .scr

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Windows]
    • "Run" = "%installfolder%\­%variable1%\­%variable1%.%variable2%"

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­GloballyOpenPorts\­List\­]
    • "%port1%:TCP" = "%port1%:TCP:*:Enabled:Remote Assistance Remote"
    • "%port2%:TCP" = "%port2%:TCP:*:Enabled:Remote Assistance Local"

The performed data entry creates an exception in the Windows Firewall program.


A value with variable content is used instead of %port1-2% .


The trojan launches the following processes:

  • explorer.exe
  • svchost.exe

The trojan creates and runs a new thread with its own code within these running processes.


The trojan executes the following commands:

  • netsh.exe firewall add allowedprogram program = "%windir%\­explorer.exe" name = "Microsoft Windows Explorer" mode = ENABLE scope = ALL
  • netsh.exe firewall add allowedprogram program = "%system%\­svchost.exe"  name = "Generic Host Process" mode = ENABLE scope = ALL

The performed command creates an exception in the Windows Firewall.


After the installation is complete, the trojan deletes the original executable file.

Information stealing

Win32/Zlader.D is a trojan that steals sensitive information.


The following information is collected:

  • computer name
  • volume serial number
  • operating system version
  • computer IP address

The trojan attempts to send gathered information to a remote machine.

Other information

Win32/Zlader.D is a trojan which tries to download other malware from the Internet.


The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (2) URLs. The HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • create Registry entries
  • set up a proxy server

The trojan opens a random TCP port.


The trojan keeps various information in the following Registry key:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Protected Storage System Settings\­LocalsSettings]

Please enable Javascript to ensure correct displaying of this content and refresh this page.