Win32/Zalup [Threat Name] go to Threat

Win32/Zalup.AT [Threat Variant Name]

Category trojan
Size 49604 B
Aliases Trojan.Win32.Inject.akry (Kaspersky)
  W32/Trojan2.JRPH (F-Prot)
  Trojan.Horse (Symantec)

Win32/Zalup.AT is a trojan that steals passwords and other sensitive information. The trojan can send the information to a remote machine.


When executed the trojan copies itself in the following locations:

  • %system%\­%variable%.exe

A string with variable content is used instead of %variable% .

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­userinit.exe]
    • "Debugger" = "%variable%.exe"

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­opera.exe]
    • "Debugger" = "%programfiles%\­Internet Explorer\­iexplore.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­navigator.exe]
    • "Debugger" = "%programfiles%\­Internet Explorer\­iexplore.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­safari.exe]
    • "Debugger" = "%programfiles%\­Internet Explorer\­iexplore.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­chrome.exe]
    • "Debugger" = "%programfiles%\­Internet Explorer\­iexplore.exe"

The trojan creates and runs a new thread with its own program code within the following processes:

  • csrss.exe
  • svchost.exe
  • thebat.exe
  • msimn.exe
  • iexplore.exe
  • explorer.exe
  • myie.exe
  • firefox.exe
  • mozilla.exe
  • avant.exe
  • maxthon.exe
Information stealing

The trojan gathers information related to the following processes:

  • The Bat!
  • Outlook Express
  • Internet Explorer
  • Explorer
  • MyIE
  • Mozilla Firefox
  • Opera
  • Avant Browser
  • Maxthon Web Browser

The trojan collects the following information:

  • HTML forms content
  • passwords

The trojan can send the information to a remote machine.

The trojan contains a list of (3) URLs. The HTTP protocol is used.

Other information

The trojan acquires data and commands from a remote computer or the Internet. The HTTP protocol is used.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • capture screenshots

The trojan may create copies of itself in the folder:

  • %system%

The trojan may create the following files:

  • c:\­temp_8901245.exe

The trojan may delete the following files:

  • %system%\­ntdll.dll

The trojan keeps various information in the following Registry key:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­%key%]

A string with variable content is used instead of %key% .

The trojan hooks the following Windows APIs:

  • send (ws2_32.dll)
  • connect (ws2_32.dll)
  • InternetOpenA (wininet.dll)
  • HttpOpenRequestA (wininet.dll)
  • InternetConnectA (wininet.dll)
  • InternetCloseHandle (wininet.dll)
  • InternetReadFile (wininet.dll)
  • InternetReadFileExA (wininet.dll)
  • InternetReadFileExW (wininet.dll)
  • HttpSendRequestA (wininet.dll)
  • HttpSendRequestW (wininet.dll)
  • InternetQueryDataAvailable (wininet.dll)
  • PR_Write (nspr4.dll)
  • PR_Read (nspr4.dll)
  • PR_Close (nspr4.dll)

The trojan sends requests to simulate clicks on banner advertisements, to inflate web counter statistics etc.

Please enable Javascript to ensure correct displaying of this content and refresh this page.