PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

ZAPCHAST variants often arrive as an attachment to spammed messages. Once the malware has been executed, it creates a backdoor which gives an attacker access to the infected computer. It can also download and execute arbitrary files, and update itself. Variants may also check for AV-related files in the infected computer.

Some ZAPCHAST variants use an IRC client to perform backdoor routines.

This backdoor executes commands from a remote malicious user, effectively compromising the affected system.

It deletes itself after execution.

  TECHNICAL DETAILS

Memory Resident: Yes

Installation

This backdoor drops the following copies of itself into the affected system:

  • %System%\sve.exe
  • %System%\ccape.exe
  • %System%\ccwap.exe

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

  • PpPPpPPpPPpPPpPPpP

Other System Modifications

This backdoor adds the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{random}

It adds the following registry entries as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{random}
StubPath = "%System%\sve.exe 1 2"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Adobe_RLX = "%System%\sve.exe 1 2"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunOnce
avatar = "%System%\ccape.exe 1 2"

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

  • Download file
  • Download and execute file
  • Update itself
  • Perform remote shell command

Other Details

This backdoor connects to the following possibly malicious URL:

  • {BLOCKED}g.{BLOCKED}L.com
  • {BLOCKED}t.{BLOCKED}b.com
  • {BLOCKED}1.{BLOCKED}m.info
  • {BLOCKED}jia.{BLOCKED}ip.net
  • www.{BLOCKED}ver.{BLOCKED}o.com
  • ftp.{BLOCKED}ver.{BLOCKED}o.com

It deletes itself after execution.

NOTES:

It searches for the following AV-related files:

  • ESET
  • Avira
  • Trend Micro
  • AVAST
  • McAfee
  • Panda Security
  • AVG
  • Kaspersky
  • Symantec
  • Norton