Home / malwarePDF  

W32.Zorenium


First posted on 17 June 2014.
Source: Symantec

Aliases :

There are no other names known for W32.Zorenium.

Explanation :

When the worm is executed, it creates the following file:
%Windir%\unt32.exe

Next, the worm creates the following registry entries so that it runs every time Windows starts: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "Explorer.exe %Windir%\unt32.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Windows Service Manager" = "%Windir%\unt32.exe"
The worm then connects to the following remote locations:[http://]208.64.38.55:80/procres[REMOVED][http://]208.64.38.55:80/Logi[REMOVED][http://]208.64.38.55:80/Regist[REMOVED]
The worm may then perform the following actions:Install a keylogger to steal login credentials from online payment and gaming servicesDownload and execute filesEnd antivirus and administration processesUse the compromised computer to perform distributed denial-of-service attacksUndertake port scansThe worm then emails itself with the following characteristics:

Subject:
RE:

Message body:
"here is your requested facebook chat beta invite"

Attachment:
Computer.exe

Attachment size:
1MB

Last update 17 June 2014

 

TOP