Win32/Zlader [Threat Name] go to Threat

Win32/Zlader.L [Threat Variant Name]

Category trojan,worm
Size 65536 B
Detection created Oct 12, 2015
Detection database version 12395
Aliases Trojan.Win32.Yakes.mveb (Kaspersky)
  Trojan:Win32/Zlader.A (Microsoft)
Short description

Win32/Zlader.L is a worm which tries to download other malware from the Internet. It can be controlled remotely. It is able to spread via shared folders and removable media.

Installation

The worm launches the following processes:

  • %windir%\­explorer.exe
  • %defaultbrowser%

The worm creates and runs a new thread with its own code within these running processes.


The following Registry entry is set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft]
    • "(Default)" = %binary% (11933 B)

The worm quits immediately if any of the following applications is detected:

  • Sandboxie
Spreading

The worm may create copies of itself on removable drives.


The worm copies itself to the following location:

  • %drive%\­$RECYCLE.BIN\­{%variable1%}\­%variable2%.%extension%

The worm searches for files and folders in the root folders of removable drives.


When the worm finds a file matching the search criteria, it creates a new file.


The file is a shortcut to a malicious file.


The file name of the newly created file is derived from the original file/folder name.


The extension of the file is ".lnk" .


The worm tries to copy itself into shared folders of machines on a local network.


The worm copies itself to the following location:

  • %folder%\­$RECYCLE.BIN\­{%variable1%}\­%variable2%.%extension%

The worm also searches for executables in shared folders of remote machines.


When the worm finds a file matching the search criteria, it creates a new file.


The file is a shortcut to a malicious file.


The file name of the newly created file is derived from the original file/folder name.


The extension of the file is ".lnk" .


The %extension% is one of the following strings:

  • .pif
  • .scr
  • .exe
  • .cmd

A string with variable content is used instead of %variable1-2% .

Information stealing

The worm collects the following information:

  • login passwords for certain applications/services
  • login user names for certain applications/services
  • volume serial number
  • operating system version
  • information about the operating system and system settings

The following programs are affected:

  • Microsoft Outlook
  • Internet Explorer
  • Mozilla Firefox

The worm attempts to send gathered information to a remote machine.

Other information

The worm acquires data and commands from a remote computer or the Internet.


The worm contains a list of (2) URLs. The HTTP protocol is used in the communication.


The worm checks for Internet connectivity by trying to connect to the following servers:

  • http://get.adobe.com/

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files

The following Registry entry is deleted:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­lnkfile\­IsShortcut]

The worm may create copies of the following files (source, destination):

  • %windir%\­System32\­newdev.dll, %appdata%\­newdev.dll
  • %windir%\­SysWoW64\­newdev.dll, %appdata%\­newdev.dll
  • %windir%\­System32\­bthudtask.exe, %windir%\­System32\­setup
  • %windir%\­System32\­newdev.dll, %windir%\­System32\­setup

The worm may execute the following commands:

  • cmd.exe /c makecab "%windir%\­System32\­bthudtask.exe" "%appdata%\­cabfile.cab"
  • cmd.exe /c wusa "%appdata%\­cabfile.cab" /extract: "%windir%\­System32\­setup"
  • cmd.exe /c makecab "%windir%\­System32\­newdev.dll" "%appdata%\­cabfile.cab"

The worm attempts to modify the following file:

  • %appdata%\­newdev.dll

Please enable Javascript to ensure correct displaying of this content and refresh this page.