BKDR_ZACCESS.GB

 Analysis by: rolandde

 ALIASES:

Backdoor.Win32.ZAccess.aqo (Kaspersky); Trojan:Win32/Sirefef.P (Microsoft)

 PLATFORM:

Windows 2000, Windows, XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size:

48,016 bytes

File Type:

EXE

Initial Samples Received Date:

12 Dec 2011

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops the following non-malicious file:

  • %Windows%\1493438348

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

Autostart Technique

This backdoor registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\8c0f0459
Type = "1"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\8c0f0459
Start = "3"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\8c0f0459
ImagePath = "\systemroot\1493438348:1945172902.exe"

Other System Modifications

This backdoor adds the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\8c0f0459

Other Details

This backdoor connects to the following possibly malicious URL:

  • http://sstatic1.histats.com/0.gif?1631605&101

NOTES:

It installs itself as an Alternate Data Stream (ADS) in its dropped file, %Windows%\1493438348. The ADS has the following name:

  • %System%\1493438348:1945172902.exe