Win32/Zalup [Threat Name] go to Threat
Win32/Zalup.AA [Threat Variant Name]
Category | trojan |
Size | 25600 B |
Aliases | P2P-Worm.Win32.Socks.ni (Kaspersky) |
W32.Mandaph (Symantec) | |
Backdoor:Win32/Koceg (Microsoft) |
Short description
Win32/Zalup.AA is a trojan that steals passwords and other sensitive information. The trojan can send the information to a remote machine.
Installation
When executed, the trojan creates the following files:
- %windir%\system32\drivers\services.exe (25600 B)
- %userprofile%\svchost.exe (25600 B)
- %startup%\userinit.exe (25600 B)
- %userprofile%\explorer.dll (4608 B)
- %windir%\system32\explorer.dll (4608 B)
- %temp%\%number1%.tmp
The %number1% represents a random number.
In order to be executed on every system start, the trojan sets the following Registry entries:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "[system]" = "%windir%\system32\drivers\services.exe"
- "winlogon" = "%userprofile%\svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "[system]" = "%windir%\system32\drivers\services.exe"
- "winlogon" = "%userprofile%\svchost.exe"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule]
- "ImagePath" = "%windir%\system32\drivers\services.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
- "Userinit" = "%windir%\system32\userinit.exe,%windir%\system32\drivers\services.exe"
The following Registry entry is set:
- [HKEY_CLASSES_ROOT\exefile\shell\open]
- "command" = "%command%"
The %command% is one of the following strings:
- %windir\system32\drivers\services.exe "%1" %*
- %userprofile%\svchost.exe "%1" %*
Libraries with the following names are injected into all running processes:
- explorer.dll
Information stealing
The trojan collects the following information:
- computer IP address
- opened TCP port number
- e-mail addresses
- FTP account information
The trojan can send the information to a remote machine.
The trojan contains a list of (1) URLs. The HTTP protocol is used.
Other information
The trojan acquires data and commands from a remote computer or the Internet. The HTTP protocol is used.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
The trojan hooks the following Windows APIs:
- recv (ws2_32.dll)
- WSARecv (ws2_32.dll)
- WSASend (ws2_32.dll)
- send (ws2_32.dll)
The trojan executes the following commands:
- netsh firewall add allowedprogram %filepath% sys enable
- wscript.exe -b %temp%\%number1%.tmp
The performed command creates an exception in the Windows Firewall.
The trojan opens a random port.
The trojan may create the following files:
- %temp%\stop
- %temp%\r43q34.tmp
- %temp%\mpz.tmp
- %temp%\%number2%.tmp
The %number2% represents a random number.