ALIASES:

Bjlog, Graftor

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel: Downloaded from the Internet

A family of backdoors, ZEGOST is known to arrive as a downloaded file. When a computer is infected with ZEGOST malware, the malware may have been downloaded unknowingly when visiting compromised sites.

ZEGOST backdoors are capable of the following routines:

  • Download other files

  • Execute files

  • Get drive information (type, free space)

  • Terminate processes/threads

They connect to command-and-control (C&C) servers to get other commands for execution or to transmit stolen information.

This backdoor deletes registry entries, causing some applications and programs to not function properly.

  TECHNICAL DETAILS

Memory Resident: Yes
Payload: Connects to URLs/IPs

Installation

This backdoor drops the following files:

  • %System%\mmd.exe
  • %Program Files%\%SESSIONNAME%\{random characters}.cc3
  • %System%\{random characters}.rdb
  • %Application Data%\Systems\ACDSee\Igebo.ddf%SESSIONNAME%\fupmj.cc3

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.. %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.)

It drops the following copies of itself into the affected system:

  • %System Root%\{random}

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It creates the following folders:

  • %Program Files%\%SESSIONNAME%
  • %Application Data%\Systems
  • %Application Data%\Systems\ACDSee
  • %Application Data%\Systems\ACDSee\Igebo.ddf%SESSIONNAME%

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.)

Autostart Technique

This backdoor registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Comhidserv70\Parameters
seRVicemAIN = "NPGetResourceParent"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Comhidserv70\Parameters
seRVicedlL = "%Program Files%\%SESSIONNAME%\{random characters}.cc3"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\HidServ\Parameters
seRVicemAIN = "NPGetResourceParent"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Comhidserv70
ImagePath = "%System%\svchost.exe -k netsvcs"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Comhidserv70\Parameters
serviceDlL = "%Application Data%\Systems\ACDSee\Igebo.ddf%SESSIONNAME%\fupmj.cc3"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_HIDSERV\
0000
Service = "HidServ"

Other System Modifications

This backdoor adds the following registry keys as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Comhidserv70

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_HIDSERV

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\HidServ

It modifies the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\HidServ
ErrorControl = "0"

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\HidServ\Parameters
ServiceDll = "%Program Files%\%SESSIONNAME%\{random characters}.cc3"

(Note: The default value data of the said registry entry is %System%\hidserv.dll.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\HidServ
Start = "2"

(Note: The default value data of the said registry entry is 4.)

It deletes the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\HidServ
DependOnService = "RpcSs"

Other Details

This backdoor connects to the following possibly malicious URL:

  • news.{BLOCKED}o.com
  • music.{BLOCKED}rj.com
  • dm.{BLOCKED}its.com
  • wel.{BLOCKED}college.net