Win32/Zlader [Threat Name] go to Threat
Win32/Zlader.L [Threat Variant Name]
| Category | trojan,worm |
| Size | 65536 B |
| Aliases | Trojan.Win32.Yakes.mveb (Kaspersky) |
| Trojan:Win32/Zlader.A (Microsoft) |
Short description
Win32/Zlader.L is a worm which tries to download other malware from the Internet. It can be controlled remotely. It is able to spread via shared folders and removable media.
Installation
The worm launches the following processes:
- %windir%\explorer.exe
- %defaultbrowser%
The worm creates and runs a new thread with its own code within these running processes.
The following Registry entry is set:
- [HKEY_CURRENT_USER\Software\Microsoft]
- "(Default)" = %binary% (11933 B)
The worm quits immediately if any of the following applications is detected:
- Sandboxie
Spreading
The worm may create copies of itself on removable drives.
The worm copies itself to the following location:
- %drive%\$RECYCLE.BIN\{%variable1%}\%variable2%.%extension%
The worm searches for files and folders in the root folders of removable drives.
When the worm finds a file matching the search criteria, it creates a new file.
The file is a shortcut to a malicious file.
The file name of the newly created file is derived from the original file/folder name.
The extension of the file is ".lnk" .
The worm tries to copy itself into shared folders of machines on a local network.
The worm copies itself to the following location:
- %folder%\$RECYCLE.BIN\{%variable1%}\%variable2%.%extension%
The worm also searches for executables in shared folders of remote machines.
When the worm finds a file matching the search criteria, it creates a new file.
The file is a shortcut to a malicious file.
The file name of the newly created file is derived from the original file/folder name.
The extension of the file is ".lnk" .
The %extension% is one of the following strings:
- .pif
- .scr
- .exe
- .cmd
A string with variable content is used instead of %variable1-2% .
Information stealing
The worm collects the following information:
- login passwords for certain applications/services
- login user names for certain applications/services
- volume serial number
- operating system version
- information about the operating system and system settings
The following programs are affected:
- Microsoft Outlook
- Internet Explorer
- Mozilla Firefox
The worm attempts to send gathered information to a remote machine.
Other information
The worm acquires data and commands from a remote computer or the Internet.
The worm contains a list of (2) URLs. The HTTP protocol is used in the communication.
The worm checks for Internet connectivity by trying to connect to the following servers:
- http://get.adobe.com/
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
The following Registry entry is deleted:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\IsShortcut]
The worm may create copies of the following files (source, destination):
- %windir%\System32\newdev.dll, %appdata%\newdev.dll
- %windir%\SysWoW64\newdev.dll, %appdata%\newdev.dll
- %windir%\System32\bthudtask.exe, %windir%\System32\setup
- %windir%\System32\newdev.dll, %windir%\System32\setup
The worm may execute the following commands:
- cmd.exe /c makecab "%windir%\System32\bthudtask.exe" "%appdata%\cabfile.cab"
- cmd.exe /c wusa "%appdata%\cabfile.cab" /extract: "%windir%\System32\setup"
- cmd.exe /c makecab "%windir%\System32\newdev.dll" "%appdata%\cabfile.cab"
The worm attempts to modify the following file:
- %appdata%\newdev.dll