BKDR_ZEGOST.SMED

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system.

It deletes itself after execution.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops the following copies of itself into the affected system:

• %System%\Wi808b.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• zrp.minipokesa.com:8008

It injects itself into the following processes as part of its memory residency routine:

• svchost.exe

Autostart Technique

This backdoor registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\W808bjf32
ImagePath = "%System%\Wi808b.exe"

Other System Modifications

This backdoor adds the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\W808bjf32

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\W808bjf32\Security

It adds the following registry entries as part of its installation routine:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\W808bjf32
Type = "10"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\W808bjf32
Start = "2"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\W808bjf32
ErrorControl = "0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\W808bjf32
DisplayName = "Wi808bs Heay System"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\W808bjf32
ObjectName = "LocalSystem"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\W808bjf32
SYSTEM\CurrentControlSet\Services\W808bjf32 = "Wi808bs Hhlm System for X32"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\W808bjf32\Security
Security = "{Random Hex Values}"

Backdoor Routine

This backdoor opens the following port(s) where it listens for remote commands:

• TCP Port 8008

It executes the following commands from a remote malicious user:

• Perform DDOS attacks
• Release mutex
• Terminate itself
• Delete itself
• Delete its added service registry
• Remote shell execution
• Download and execute files
• Shutdown machine

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• {BLOCKED}p.{BLOCKED}kesa.com

It posts the following information to its command and control (C&C) server:

• Processor information
• OS version information
• Current usage of both physical and virtual memory
• Install language information

Other Details

This backdoor deletes itself after execution.