Win32/TrojanDownloader.Zurgop [Threat Name] go to Threat

Win32/TrojanDownloader.Zurgop.BK [Threat Variant Name]

Category trojan
Size 86016 B
Detection created Mar 11, 2014
Detection database version 9987
Aliases Trojan.Win32.Sharik.tgk (Kaspersky)
  VirTool:Win32/CeeInject.gen!KK (Microsoft)
  Win32:Malware-gen (Avast)
  TR/Dldr.Zurgop.BK.27 (Avira)
  Trojan.Injector.AXK (BitDefender)
Short description

Win32/TrojanDownloader.Zurgop.BK is a trojan which tries to download other malware from the Internet.

Installation

When executed, the trojan copies itself into the following location:

  • %appdata%\­%variable2%\­%variable1%.exe

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable3%" = "%appdata%\­%variable2%\­%variable1%.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­Run]
    • "%variable3%" = "%appdata%\­%variable2%\­%variable1%.exe"

A string with variable content is used instead of %variable1-3% .


The trojan may create the following files:

  • %startup%\­%variable2%.lnk

The file is a shortcut to a malicious file.


This causes the trojan to be executed on every system start.


The trojan quits immediately if the executable file path contains one of the following strings:

  • sample

The trojan quits immediately if any of the following applications is detected:

  • Sandboxie

The trojan creates and runs a new thread with its own program code in all running processes.


After the installation is complete, the trojan deletes the original executable file.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (2) URLs. The HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • uninstall itself
  • collect information about the operating system used
  • send gathered information

The trojan checks for Internet connectivity by trying to connect to the following servers:

  • http://www.msn.com

The trojan hides its presence in the system.


The trojan hooks the following Windows APIs:

  • ZwQuerySystemInformation (ntdll.dll)
  • ZwQueryDirectoryFile (ntdll.dll)
  • ZwEnumerateValueKey (ntdll.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.