Win32/Zonebac [Threat Name] go to Threat

Win32/Zonebac.AA [Threat Variant Name]

Category trojan
Size 23568 B
Aliases Backdoor:Win32/Zonebac.B (Microsoft)
  W32/Downldr2.LXU (F-Prot)
  Trojan.Zonebac.A (BitDefender)
Short description

Win32/Zonebac.AA is a trojan which tries to download other malware from the Internet. The file is run-time compressed using UPX .


When executed, the trojan copies itself into the following location:

  • %windir%\­lsasss.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Lexmark_X79-55" = "%windir%\­lsasss.exe"

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­2]
    • "*" = 2

A string with variable content is used instead of %variable% .

The trojan replaces file(s) referenced by the following Registry entries with its own copy or with another malware file:

  • [*\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]

The original file is stored in the following location:

  • %foundfilefolder%\­bak\­%foundfilename%.exe
Information stealing

The following information is collected:

  • list of running processes

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan quits immediately if it detects a running process containing one of the following strings in its name:

  • apvxdwin.exe
  • avciman.exe
  • avengine.exe
  • avp.exe
  • dpasnt.exe
  • erviceexe
  • firewallntservice.exe
  • fsaw.exe
  • fsguidll.exe
  • fsm32.exe
  • fspex.exe
  • isafe.exe
  • kav.exe
  • kavpf.exe
  • pavfnsvr.exe
  • pavprsrv.exe
  • pavsrv51.exe
  • pnmsrv.exe
  • psimsvc.exe
  • pskmssvc.exe
  • spoolsv.exe
  • spysweeper.exe
  • spysweeperui.exe
  • srvload.exe
  • ssuexe
  • tpsrv.exe
  • tsantispy.exe
  • vsmon.exe
  • wdfdatas
  • webproxy.exe
  • webrootdesktopfirewall.exe
  • zlclient.exe

Win32/Zonebac.AA is a trojan which tries to download other malware from the Internet.

The trojan contains a list of (2) URLs. The HTTP protocol is used in the communication.

The trojan may create the following files:

  • %temp%\­
  • %temp%\­%variable%.dat
  • %temp%\­%variable%.dat.exe

The files are then executed.

Please enable Javascript to ensure correct displaying of this content and refresh this page.