Win32/TrojanDownloader.Zurgop [Threat Name] go to Threat
Win32/TrojanDownloader.Zurgop.AZ [Threat Variant Name]
| Category | trojan |
| Size | 63488 B |
| Detection created | Dec 20, 2012 |
| Detection database version | 7820 |
Short description
Win32/TrojanDownloader.Zurgop.AZ is a trojan which tries to download other malware from the Internet. The file is run-time compressed using PECompact .
Installation
When executed the trojan copies itself in the following locations:
- %appdata%\%variable1%\%variable2%.exe
In order to be executed on every system start, the trojan sets the following Registry entries:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
- "%variable3%" = "%appdata%\%variable1%\%variable2%.exe"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "%variable3%" = "%appdata%\%variable1%\%variable2%.exe"
The trojan may create the following files:
- %startup%\%variable2%.lnk
A string with variable content is used instead of %variable1-3% .
The trojan creates and runs a new thread with its own program code within the following processes:
- explorer.exe
- svchost.exe
Other information
The trojan quits immediately if it detects certain security applications running.
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (1) URLs. The HTTP protocol is used in the communication.
It may perform the following actions:
- download files from a remote computer and/or the Internet
- run executable files
- update itself to a newer version
- remove itself from the infected computer
- collect information about the operating system used
- send gathered information