Home / malwarePDF  

Backdoor:Win32/Zacom.A


First posted on 06 June 2013.
Source: Microsoft

Aliases :

Backdoor:Win32/Zacom.A is also known as BackDoor-FCC.dr!2A26873E1AAC (McAfee), Win32/TrojanDropper.Agent.QBQ (ESET), Gen:Variant.Graftor.96252 (BitDefender).

Explanation :



Installation

You may download Backdoor:Win32/Zacom.A thinking it is a Microsoft PowerPoint file (with the extension .ppt). However, in reality it is an executable file that, when you open it, instead runs and installs itself on your computer. The file name is in Japanese, however in our samples the characters are corrupted so we are unable to determine what they are.

When run, the trojan drops and runs the following files into the %TEMP% folder:

  • checkup.exe
  • <Japanese characters> .ppt
The PowerPoint file displays the message "Welcome to Osaka, the professors of Yale University - RCNP". This messag is written in English.

The trojan creates a copy of itself as %PUBLIC%\wmiprivse.exe.

It modifies the following registry entry to ensure that its copy runs at each Windows start:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: wmiprivse.exe
With data: %PUBLIC%\wmiprivse.exe



Payload

Connects to remote server

When run, the trojan listens to connections on TCP port 1139 and waits for commands. It retrieves configuration information about the proxy server that it then uses to connect to the following servers:

  • http://mofamideast.appspot.com/<removed>.py
  • http://www.kixservice.com/<removed>/&PackNo=
  • http://www.kixservice.com/<removed>/SGames.asp?HostID=
  • http://www.kixservice.com/<removed>/SSports.asp?HostID=
  • http://www.kixservice.com/<removed>/STravel.asp?HostID=
  • http://www.kixservice.com/<removed>/SWeather.asp?HostID=


When connected, the trojan sends information about your computer that it gathered when it was first run. This information includes the following:

  • MAC address of your computer
  • The current date and time
  • The version of your operating system
  • Your computer's locale or location


Allows backdoor access and control

The trojan can receive commands from a remote attacker via the servers and port listed in the Connects to remote server payload. These commands can include:

  • To download and run other files, including malware
  • To retrieve files from your computer and send them to the remote server
  • To perform DDoS attacks against a specified target (we have not observed this behavior on any target, except for the home page of www.microsoft.com)


Modifies Internet security settings

The trojan modifies the following registry entry to bypass the proxy, this helps in its delivery of the Connects to remote server payload:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Sets value: ProxyBypass
With data: "1"

Additional information

Backdoor:Win32/Zacom.A creates the following events to prevent multiple instances of the trojan running on your computer:

  • GAPZCM_MAINEXE
  • GoogleZCM




Analysis by Justin Kim

Last update 06 June 2013

 

TOP

Malware :

Family: