BKDR_ZEGOST.TPAN
Mal/Packer (Sophos) ,W32/Heuristic-210!Eldorado (damaged, not disinfectable) (Fprot) ,Trojan.SuspectCRC (Ikarus) ,HEUR:Trojan.Win32.Generic (Kaspersky) ,Backdoor:Win32/Zegost.AY (Microsoft) ,Backdoor.Trojan (Symantec) ,Trojan.Win32.Generic!BT (Sunbelt)
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Backdoor
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It connects to a website to send and receive information.
It deletes the initially executed copy of itself.
TECHNICAL DETAILS
Arrival Details
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This backdoor adds the following possibly malicious files or file components:
- %System Root%\{random foldername}\{random filename}.dll - detected as BKDR_ZEGOST.TPAN
- %System Root%\{random foldername}\MUpdate.exe
(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)
Autostart Technique
This backdoor adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
CTFM0N = "%System Root%\{random foldername}\MUpdate.exe "%System Root%\{random foldername}\{random filename}.dll,ALSTS_ExecuteAction""
Backdoor Routine
This backdoor connects to the following websites to send and receive information:
- {BLOCKED}.{BLOCKED}.119.178
- {BLOCKED}.{BLOCKED}ION.INFO
- {BLOCKED}0.{BLOCKED}s.info
- v.{BLOCKED}n.com
As of this writing, the said servers are currently inaccessible.
HOSTS File Modification
This backdoor modifies the system's HOSTS files to redirect users once the following Web site(s) are accessed:
- 126.117.125.213 nAVER.coM
- 126.117.125.213 kIsA.hoNabenk.coM
- 126.117.125.213 kIsA.kcB.co.kR
- 126.117.125.213 kIsA.kfoc.co.kR
- 126.117.125.213 www.nAVER.co.KR
- 126.117.125.213 nAVER.cO.kR
- 126.117.125.213 www.nONGhyup.coM
- 126.117.125.213 BaNKiNg.nONGhyup.coM
- 126.117.125.213 iBz.nONGhyup.coM
- 126.117.125.213 www.nAVER.coM
- 126.117.125.213 nAVER.kR
- 126.117.125.213 www.nAVER.Kr
- 126.117.125.213 KisA.kBstor.coM
- 126.117.125.213 KisA.nONGhuyp.coM
- 126.117.125.213 KisA.nONGhyup.coM
- 126.117.125.213 KisA.shiNhoN.coM
- 126.117.125.213 KisA.WOORibenk.coM
- 126.117.125.213 KisA.IDK.co.kR
- 126.117.125.213 KisA.ibek.co.kR
- 126.117.125.213 KisA.EPostbenk.go.kR
- 126.117.125.213 KisA.hanAbenk.coM
- 126.117.125.213 KisA.keB.co.kR
- 126.117.125.213 KisA.kcB.co.kR
- 126.117.125.213 KisA.kfoc.co.kR
- 126.117.125.213 KisA.kfcc.co.kR
- 126.117.125.213 www.nATe.nEt
- 126.117.125.213 kIsA.kBstor.coM
- 126.117.125.213 kIsA.hanabank.com
- 126.117.125.213 kIsA.Nenghuyp.coM
- 126.117.125.213 kIsA.shiNhoN.coM
- 126.117.125.213 kIsA.wooribenk.coM
- 126.117.125.213 kIsA.idk.co.kR
- 126.117.125.213 kIsA.epostbenk.go.kR
- 126.117.125.213 kIsA.hoNabenk.coM
- 126.117.125.213 kIsA.kcB.co.kR
- 126.117.125.213 kIsA.kfoc.co.kR
- 126.117.125.213 KisA.kBstAR.coM
- 126.117.125.213 www.nATe.Kr
- 126.117.125.213 nATe.kR
- 126.117.125.213 phARmiNg.KisA.or.kR
- 126.117.125.213 www.GmARkeT.cO.kr
- 126.117.125.213 BizBaNk.shiNhaN.coM
- 126.117.125.213 oPEN.shiNhaN.coM
- 126.117.125.213 daUm.NeT
- 126.117.125.213 gMARkEt.CO.kr
- 126.117.125.213 www.nATe.cO.kr
- 126.117.125.213 nATe.Co.Kr
- 126.117.125.213 myBaNk.iBk.co.kR
- 126.117.125.213 Kiup.iBk.co.kR
- 126.117.125.213 oPEN.iBk.co.kR
- 126.117.125.213 www.daum.NeT
- 126.117.125.213 WOORiBaNk.coM
- 126.117.125.213 haNmail.NeT
- 126.117.125.213 eBaNk.keB.co.kR
- 126.117.125.213 www.gmARket.co.kr
- 126.117.125.213 oNliNe.keB.co.kR
- 126.117.125.213 oPEN.keB.co.kR
- 126.117.125.213 www.haNmail.Net
- 126.117.125.213 oPEN.hanABaNk.com
- 126.117.125.213 www.hanAcBs.coM
- 126.117.125.213 kfCc.co.kR
- 126.117.125.213 www.kfcc.co.kR
- 126.117.125.213 iBs.kfcc.co.kR
- 126.117.125.213 EPostBaNk.go.kR
- 126.117.125.213 www.EPostBaNk.go.kR
- 126.117.125.213 www.nAte.com
Information Theft
This backdoor gathers the following data:
- OS version
- System's default language
- Processor information
Other Details
This backdoor drops the following file(s)/component(s):
- %System%\drivers\etc\hosts.ics - temporary file that contains contents of data.mdb
- {malware path}\data.mdb - contains the decrypted received data. This is deleted after contents are copied to the hosts file
(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)
It deletes the initially executed copy of itself
NOTES:
It accesses the following sites to download encrypted data:
- http://{BLOCKED}.{BLOCKED}.241.109:805/plus.php
The encrypted data contains the list of sites that will be added to the HOSTS file.
It queries the following registry key to get the processor information:
- HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz
It attempts to terminate the following processes:
- ASDSvc.exe
- AYRTSrv.aye
SOLUTION
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Step 2
Scan your computer with your Trend Micro product and note files detected as BKDR_ZEGOST.TPAN
Step 3
Restart in Safe Mode
Step 4
Delete this registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- CTFM0N = "%System Root%\{random foldername}\MUpdate.exe "%System Root%\{random foldername}\{random filename}.dll,ALSTS_ExecuteAction""
- CTFM0N = "%System Root%\{random foldername}\MUpdate.exe "%System Root%\{random foldername}\{random filename}.dll,ALSTS_ExecuteAction""
Step 5
Search and delete these files
- %System Root%\{random foldername}\{random filename}.dll
- %System Root%\{random foldername}\MUpdate.exe
Step 6
Remove these strings added by the malware/grayware/spyware in the HOSTS file
- 126.117.125.213 nAVER.coM
- 126.117.125.213 kIsA.hoNabenk.coM
- 126.117.125.213 kIsA.kcB.co.kR
- 126.117.125.213 kIsA.kfoc.co.kR
- 126.117.125.213 www.nAVER.co.KR
- 126.117.125.213 nAVER.cO.kR
- 126.117.125.213 www.nONGhyup.coM
- 126.117.125.213 BaNKiNg.nONGhyup.coM
- 126.117.125.213 iBz.nONGhyup.coM
- 126.117.125.213 www.nAVER.coM
- 126.117.125.213 nAVER.kR
- 126.117.125.213 www.nAVER.Kr
- 126.117.125.213 KisA.kBstor.coM
- 126.117.125.213 KisA.nONGhuyp.coM
- 126.117.125.213 KisA.nONGhyup.coM
- 126.117.125.213 KisA.shiNhoN.coM
- 126.117.125.213 KisA.WOORibenk.coM
- 126.117.125.213 KisA.IDK.co.kR
- 126.117.125.213 KisA.ibek.co.kR
- 126.117.125.213 KisA.EPostbenk.go.kR
- 126.117.125.213 KisA.hanAbenk.coM
- 126.117.125.213 KisA.keB.co.kR
- 126.117.125.213 KisA.kcB.co.kR
- 126.117.125.213 KisA.kfoc.co.kR
- 126.117.125.213 KisA.kfcc.co.kR
- 126.117.125.213 www.nATe.nEt
- 126.117.125.213 kIsA.kBstor.coM
- 126.117.125.213 kIsA.hanabank.com
- 126.117.125.213 kIsA.Nenghuyp.coM
- 126.117.125.213 kIsA.shiNhoN.coM
- 126.117.125.213 kIsA.wooribenk.coM
- 126.117.125.213 kIsA.idk.co.kR
- 126.117.125.213 kIsA.epostbenk.go.kR
- 126.117.125.213 kIsA.hoNabenk.coM
- 126.117.125.213 kIsA.kcB.co.kR
- 126.117.125.213 kIsA.kfoc.co.kR
- 126.117.125.213 KisA.kBstAR.coM
- 126.117.125.213 www.nATe.Kr
- 126.117.125.213 nATe.kR
- 126.117.125.213 phARmiNg.KisA.or.kR
- 126.117.125.213 www.GmARkeT.cO.kr
- 126.117.125.213 BizBaNk.shiNhaN.coM
- 126.117.125.213 oPEN.shiNhaN.coM
- 126.117.125.213 daUm.NeT
- 126.117.125.213 gMARkEt.CO.kr
- 126.117.125.213 www.nATe.cO.kr
- 126.117.125.213 nATe.Co.Kr
- 126.117.125.213 myBaNk.iBk.co.kR
- 126.117.125.213 Kiup.iBk.co.kR
- 126.117.125.213 oPEN.iBk.co.kR
- 126.117.125.213 www.daum.NeT
- 126.117.125.213 WOORiBaNk.coM
- 126.117.125.213 haNmail.NeT
- 126.117.125.213 eBaNk.keB.co.kR
- 126.117.125.213 www.gmARket.co.kr
- 126.117.125.213 oNliNe.keB.co.kR
- 126.117.125.213 oPEN.keB.co.kR
- 126.117.125.213 www.haNmail.Net
- 126.117.125.213 oPEN.hanABaNk.com
- 126.117.125.213 www.hanAcBs.coM
- 126.117.125.213 kfCc.co.kR
- 126.117.125.213 www.kfcc.co.kR
- 126.117.125.213 iBs.kfcc.co.kR
- 126.117.125.213 EPostBaNk.go.kR
- 126.117.125.213 www.EPostBaNk.go.kR
- 126.117.125.213 www.nAte.com
Step 7
Restart in normal mode and scan your computer with your Trend Micro product for files detected as BKDR_ZEGOST.TPAN. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Did this description help? Tell us how we did.