ZAPCHAST
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Backdoor
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
ZAPCHAST variants often arrive as an attachment to spammed messages. Once the malware has been executed, it creates a backdoor which gives an attacker access to the infected computer. It can also download and execute arbitrary files, and update itself. Variants may also check for AV-related files in the infected computer.
Some ZAPCHAST variants use an IRC client to perform backdoor routines.
This backdoor executes commands from a remote malicious user, effectively compromising the affected system.
It deletes itself after execution.
TECHNICAL DETAILS
Installation
This backdoor drops the following copies of itself into the affected system:
- %System%\sve.exe
- %System%\ccape.exe
- %System%\ccwap.exe
(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)
It adds the following mutexes to ensure that only one of its copies runs at any one time:
- PpPPpPPpPPpPPpPPpP
Other System Modifications
This backdoor adds the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{random}
It adds the following registry entries as part of its installation routine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{random}
StubPath = "%System%\sve.exe 1 2"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Adobe_RLX = "%System%\sve.exe 1 2"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunOnce
avatar = "%System%\ccape.exe 1 2"
Backdoor Routine
This backdoor executes the following commands from a remote malicious user:
- Download file
- Download and execute file
- Update itself
- Perform remote shell command
Other Details
This backdoor connects to the following possibly malicious URL:
- {BLOCKED}g.{BLOCKED}L.com
- {BLOCKED}t.{BLOCKED}b.com
- {BLOCKED}1.{BLOCKED}m.info
- {BLOCKED}jia.{BLOCKED}ip.net
- www.{BLOCKED}ver.{BLOCKED}o.com
- ftp.{BLOCKED}ver.{BLOCKED}o.com
It deletes itself after execution.
NOTES:
It searches for the following AV-related files:
- ESET
- Avira
- Trend Micro
- AVAST
- McAfee
- Panda Security
- AVG
- Kaspersky
- Symantec
- Norton