Win32/Zlader [Threat Name] go to Threat
Win32/Zlader.D [Threat Variant Name]
| Category | trojan |
| Size | 182784 B |
| Aliases | Trojan-Ransom.Win32.Foreign.dhmf (Kaspersky) |
Short description
Win32/Zlader.D is a trojan which tries to download other malware from the Internet.
Installation
When executed, the trojan copies itself in some of the the following locations:
- %appdata%\%variable1%\%variable1%.%variable2%
- %personal%\%variable1%\%variable1%.%variable2%
- %localappdata%\%variable1%\%variable1%.%variable2%
- %templates%\%variable1%\%variable1%.%variable2%
A string with variable content is used instead of %variable1% .
The %variable2% is one of the following strings:
- .exe
- .com
- .pif
- .scr
In order to be executed on every system start, the trojan sets the following Registry entry:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
- "Run" = "%installfolder%\%variable1%\%variable1%.%variable2%"
The following Registry entries are set:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\]
- "%port1%:TCP" = "%port1%:TCP:*:Enabled:Remote Assistance Remote"
- "%port2%:TCP" = "%port2%:TCP:*:Enabled:Remote Assistance Local"
The performed data entry creates an exception in the Windows Firewall program.
A value with variable content is used instead of %port1-2% .
The trojan launches the following processes:
- explorer.exe
- svchost.exe
The trojan creates and runs a new thread with its own code within these running processes.
The trojan executes the following commands:
- netsh.exe firewall add allowedprogram program = "%windir%\explorer.exe" name = "Microsoft Windows Explorer" mode = ENABLE scope = ALL
- netsh.exe firewall add allowedprogram program = "%system%\svchost.exe" name = "Generic Host Process" mode = ENABLE scope = ALL
The performed command creates an exception in the Windows Firewall.
After the installation is complete, the trojan deletes the original executable file.
Information stealing
Win32/Zlader.D is a trojan that steals sensitive information.
The following information is collected:
- computer name
- volume serial number
- operating system version
- computer IP address
The trojan attempts to send gathered information to a remote machine.
Other information
Win32/Zlader.D is a trojan which tries to download other malware from the Internet.
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (2) URLs. The HTTP protocol is used.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- create Registry entries
- set up a proxy server
The trojan opens a random TCP port.
The trojan keeps various information in the following Registry key:
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Protected Storage System Settings\LocalsSettings]