Win32/Zimuse [Threat Name] go to Threat
Win32/Zimuse.E [Threat Variant Name]
| Category | trojan,worm |
| Size | 1134592 B |
Short description
The trojan serves as a backdoor. It can be controlled remotely.
Installation
The trojan does not create any copies of itself.
The trojan creates the following files:
- %temp%\svchost.exe (212992 B)
- %currentfolder%\wabfiles.exe (32768 B)
- %currentfolder%\kbdus.dll (5632 B)
- %currentfolder%\kbdsl.dll (6656 B)
- %currentfolder%\kbdsl1.dll (6656 B)
The files are then executed.
The following Registry entries are set:
- [HKEY_CURRENT_USER\Software\Dorgel\General]
- "ArchiveAVI" = "%currentfolder%\clip.avi"
- "Device" = 0
- "MainWndPos" = "10000,10000"
- "MotionDetection" = 0
- "Preview" = 0
- "PreviewPos" = "356,443"
- "Reconnect" = 0
- "ReconnectTime" = 1
- "ShowMsgBoxes" = 1
- "TrayIcon" = 1
- "AVIChangeInterval" = 0
- "Capture" = 1
- "FramesPerSecond" = 1
- "UseAVI" = 1
- [HKEY_CURRENT_USER\Software\Dorgel\StoreEvents\Store]
- "CreateDirs" = 0
- "Enable" = 1
- "File" = "%currentfolder%\img.jpg"
- "Interval" = 1
- "LogLevel" = 0
- "Order" = 1
- "ResetTime" = 1
- "Type" = 1
- [HKEY_CURRENT_USER\Software\Dorgel\CaptionEvents\TextCaption]
- "Absolute" = 0
- "BackColor" = 0
- "Enable" = 1
- "File" = ""
- "Font" = %binaryvalue%
- "ForeColor" = 16777215
- "Language" = 27
- "MaxLength" = 0
- "Order" = 1
- "PosHor" = 0
- "PosVer" = 0
- "Rotate" = 0
- "Shadow" = 2
- "Text" = "%username% - %F, %T"
- "Transparent" = 1
- "Type" = 2
Information stealing
Win32/Zimuse.E is a trojan that steals sensitive information.
The trojan is able to log keystrokes.
The trojan keeps various information in the following files:
- %currentfolder%\klUS.inf
- %currentfolder%\klSK.inf
- %currentfolder%\wab.inf
- %currentfolder%\wabcsv.inf
- %currentfolder%\img.jpg
- %currentfolder%\clip.avi
- %currentfolder%\record.wav
- %currentfolder%\ipad.inf
- %currentfolder%\ffp.inf
The trojan collects the following information:
- network adapter information
- country
- operating system version
- user name
- computer name
- the path to specific folders
- e-mail addresses
The trojan can send the information to a remote machine. The FTP protocol is used.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (2) URLs. The HTTP, FTP protocol is used.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- update itself to a newer version
- send the list of files on a specific drive to a remote computer
- send requested files
- capture webcam video/voice
- capture screenshots
- send spam
- send gathered information
The trojan may set the following Registry entries:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
- "%malwarefilepath%" = "%malwarefilepath%:*:Enabled:Microsoft Windows® security update"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
- "{6B69306C-6062-4A9B-89A3-591F3F71A04B}" = "v2.10|Action=Allow|Active=TRUE|Dir=Out|App=%malwarefilepath%|Name=Microsoft Windows® Adobe Acrobat Reader security update for PDF files"
- "{6392B155-9708-4BD1-974D-F654DCC084F7}" = "v2.10|Action=Allow|Active=TRUE|Dir=In|App=%malwarefilepath%|Name=Microsoft Windows® Adobe Acrobat Reader security update for PDF files"
- "TCP Query User{C893D2C3-AB3B-4F79-86B5-40993CCC8FDE}" = "v2.0|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=%malwarefilepath%|Name=Microsoft Windows® Adobe Acrobat Reader security update for PDF files|Desc=Microsoft Windows« Adobe Acrobat Reader security update for PDF files|Edge=FALSE|"
- "UDP Query User{5E08BA57-D285-4482-9153-0101DFD33055}" = "v2.0|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=%malwarefilepath%|Name=Microsoft Windows® Adobe Acrobat Reader security update for PDF files|Desc=Microsoft Windows« Adobe Acrobat Reader security update for PDF files|Edge=FALSE|"
The performed data entry creates an exception in the Windows Firewall program.