BKDR_ZEGOST
Bjlog, Graftor
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Backdoor
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
A family of backdoors, ZEGOST is known to arrive as a downloaded file. When a computer is infected with ZEGOST malware, the malware may have been downloaded unknowingly when visiting compromised sites.
ZEGOST backdoors are capable of the following routines:
- Download other files
- Execute files
- Get drive information (type, free space)
- Terminate processes/threads
They connect to command-and-control (C&C) servers to get other commands for execution or to transmit stolen information.
This backdoor deletes registry entries, causing some applications and programs to not function properly.
TECHNICAL DETAILS
Installation
This backdoor drops the following files:
- %System%\mmd.exe
- %Program Files%\%SESSIONNAME%\{random characters}.cc3
- %System%\{random characters}.rdb
- %Application Data%\Systems\ACDSee\Igebo.ddf%SESSIONNAME%\fupmj.cc3
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.. %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.)
It drops the following copies of itself into the affected system:
- %System Root%\{random}
(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)
It creates the following folders:
- %Program Files%\%SESSIONNAME%
- %Application Data%\Systems
- %Application Data%\Systems\ACDSee
- %Application Data%\Systems\ACDSee\Igebo.ddf%SESSIONNAME%
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.)
Autostart Technique
This backdoor registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Comhidserv70\Parameters
seRVicemAIN = "NPGetResourceParent"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Comhidserv70\Parameters
seRVicedlL = "%Program Files%\%SESSIONNAME%\{random characters}.cc3"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\HidServ\Parameters
seRVicemAIN = "NPGetResourceParent"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Comhidserv70
ImagePath = "%System%\svchost.exe -k netsvcs"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Comhidserv70\Parameters
serviceDlL = "%Application Data%\Systems\ACDSee\Igebo.ddf%SESSIONNAME%\fupmj.cc3"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_HIDSERV\
0000
Service = "HidServ"
Other System Modifications
This backdoor adds the following registry keys as part of its installation routine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Comhidserv70
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_HIDSERV
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\HidServ
It modifies the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\HidServ
ErrorControl = "0"
(Note: The default value data of the said registry entry is 1.)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\HidServ\Parameters
ServiceDll = "%Program Files%\%SESSIONNAME%\{random characters}.cc3"
(Note: The default value data of the said registry entry is %System%\hidserv.dll.)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\HidServ
Start = "2"
(Note: The default value data of the said registry entry is 4.)
It deletes the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\HidServ
DependOnService = "RpcSs"
Other Details
This backdoor connects to the following possibly malicious URL:
- news.{BLOCKED}o.com
- music.{BLOCKED}rj.com
- dm.{BLOCKED}its.com
- wel.{BLOCKED}college.net