TROJ_ZEFARCH


 ALIASES:

Hiloti, Zefarch, Virtum

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Downloaded from the Internet, Dropped by other malware


MUFANOM is a family of Trojans that are dropped by other malware or downloaded by other malware onto systems. When executed, MUFANOM variants drop its component files onto the infected systems. They also attempt to access malicious URLs, which may result in downloading malicious files onto the system and executing them.

Some variants of this malware family may also have other routines, which include monitoring user activity whenever the user accesses certain sites in Internet Explorer. In addition, some variants may install a browser plugin component. This component monitors user browser activities in order to display ads on the user's browser. Some MUFANOM malware were seen to download files from the ZEFARCH malware family.

  TECHNICAL DETAILS

Memory Resident:

Yes

Payload:

Modifies system registry, Connects to URLs/IPs, Drops files, Downloads files

Installation

This Trojan drops the following files:

  • %Windows%\{random file name}.dll

(Note: %Windows% is the Windows folder, which is usually C:\Windows.)

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random letters} = "rundll32.exe "%Windows%\{random file name}.dll",Startup"

Other System Modifications

This Trojan adds the following registry keys as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\{random letters}

Other Details

This Trojan connects to the following possibly malicious URL:

  • {12 random alpha-numeric characters}.{7 random letters}.com