ThreatExpert Report: Trojan.mIRC-Based.AM, Backdoor.IRC.Zapchast.zwrc, Backdoor.IRC.Aladinz..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 3 January 2009, 16:09:21
Processing time: 6 min 27 sec
Submitted sample:

File MD5: 0x737E10BE307601F22A491FD76798CD21
File SHA-1: 0x9523BCCFC96FD77228CB6B28DC06466CA2DBB76E
Filesize: 1,281,843 bytes
Alias:

Trojan.mIRC-Based.AM [PCTools]
Backdoor.IRC.Aladinz [Symantec]
Backdoor.IRC.Zapchast.zwrc [Kaspersky Lab]
Mal/Zapchas-A [Sophos]

Summary of the findings:

What's been found	Severity Level
Communication with a remote IRC server.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

Possible Security Risk

Attention! Characteristics of the following security risks were identified in the system:

Security Risk	Description
Backdoor.IRCBot	Backdoor.IRCBot is a family of IRC backdoors allowing unauthorized access to an infected PC. It has the capability to spread over a network exploiting various Windows vulnerabilities.
Trojan.RunKeys	Trojan.RunKeys installs autorun registry entries for other malware. It is normally bundled with other malware and ensures that they are executed each time Windows starts.

Attention! The following threat categories were identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	[file and pathname of the sample #1]	1,281,843 bytes	MD5: 0x737E10BE307601F22A491FD76798CD21 SHA-1: 0x9523BCCFC96FD77228CB6B28DC06466CA2DBB76E	Trojan.mIRC-Based.AM [PCTools] Backdoor.IRC.Aladinz [Symantec] Backdoor.IRC.Zapchast.zwrc, not-a-virus:Client-IRC.Win32.mIRC.603 [Kaspersky Lab] Mal/Zapchas-A [Sophos]
2	%Windir%\Temp\spoolsv\a.reg	1,260 bytes	MD5: 0x3A6124B67B70CFC076115D6C03A46555 SHA-1: 0xFF32EA635FBC7E246EDB1EF30FD2146702137200	Trojan.RunKeys [PCTools] Backdoor.IRC.Zapchast.zwrc [Kaspersky Lab] Reg/IRCSpoolsv [McAfee] REG_ZAPCHAST.ED [Trend Micro] Backdoor.Zapchast [Ikarus]
3	%Windir%\Temp\spoolsv\aliases.ini	11 bytes	MD5: 0x2218DF9CDFFC814A3DC25C81DD8619DD SHA-1: 0x0290F796218937F61331ADC8803788E7CD4C2299	(not available)
4	%Windir%\Temp\spoolsv\com.mrc	9,730 bytes	MD5: 0x42BD1BB7CA8F93725D2A7CFD8787B5C4 SHA-1: 0xB35673960C1E8348C8DC21B9640803C9380CAF18	Backdoor.IRC.Zapchast.zwrc [Kaspersky Lab]
5	%Windir%\Temp\spoolsv\control.ini	174 bytes	MD5: 0xE74FCF9B0E35952818B103251B5A6FD3 SHA-1: 0xB86B6D37819AEC743D514439EAF4E5A2DCFBFE11	(not available)
6	%Windir%\Temp\spoolsv\fullname.txt %Windir%\Temp\spoolsv\ident.txt	10,306 bytes	MD5: 0x465B9F9B355DA136E1514456673D63FB SHA-1: 0xB8574D4DB1DF3C8CDA546C21B52C1D2E0459C9D4	Backdoor.Zapchast [Ikarus]
7	%Windir%\Temp\spoolsv\mirc.ico	5,694 bytes	MD5: 0xE09AA9787AF5CC53FD7525DD6693CF10 SHA-1: 0x57445D0779A66C61741822C0A7988573EFEE13D7	(not available)
8	%Windir%\Temp\spoolsv\mirc.ini	3,126 bytes	MD5: 0x61B826A632351EA7EA1C198DED6B7584 SHA-1: 0x9680DF46C51044A7D163C1220AC6F8D7CC9662E4	Backdoor.IRC.Zapchast.zwrc [Kaspersky Lab] IRC/Flood.gen.b [McAfee] Mal/Zapchas-C [Sophos] Backdoor.IRC.Zapchast [Ikarus]
9	%Windir%\Temp\spoolsv\remote.ini	4,362 bytes	MD5: 0x2BD0AD648052735985661D01E986182B SHA-1: 0xEB83BB6025D00B044F55870367272399FBD02212	(not available)
10	%Windir%\Temp\spoolsv\run.bat	194 bytes	MD5: 0x08FD9592BFA14C19955FC760BE2BB98A SHA-1: 0x2CDC2FA19727DF675EEE0F8951B0333DBC6F4B81	Trojan.mIRC-Based.AM [PCTools] Backdoor.IRC.Flood [Symantec] Backdoor.IRC.Zapchast.zwrc [Kaspersky Lab] Generic component [McAfee] Backdoor.Zapchast [Ikarus]
11	%Windir%\Temp\spoolsv\servers.ini	926 bytes	MD5: 0xCE0C75EF540D04BBFD8CD8AD621E23DD SHA-1: 0x7D93572795481367770477083E6CCF5FAE5E0737	(not available)
12	%Windir%\Temp\spoolsv\spoolsv.exe	1,790,464 bytes	MD5: 0xB766003F431CAD186BD115F5761592D1 SHA-1: 0x33CDFE6F7FA6B321F9A51CC051C32BA924164B10	Backdoor.IRCBot [PCTools] not-a-virus:Client-IRC.Win32.mIRC.603 [Kaspersky Lab] IRC/Client [McAfee] IRC-Worm.Win32.Tedeto.a [Ikarus]
13	%Windir%\Temp\spoolsv\users.ini	48 bytes	MD5: 0xF99DC2284F9786FBE14D152B79F077C6 SHA-1: 0x2155F104661F44A4960F2647C49B3B7C440BFDE2	(not available)
14	%Windir%\Temp\spoolsv\xmas.jpg	264,957 bytes	MD5: 0x6C43EC85F11F7F75D936B5DC24C22C68 SHA-1: 0x8E0696A3817ADE6DFB8449234051122D777E6878	(not available)

Note:

%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

The following directories were created:

%Windir%\Temp\spoolsv
%Windir%\Temp\spoolsv\download
%Windir%\Temp\spoolsv\logs
%Windir%\Temp\spoolsv\sounds

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	405,504 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cha
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.chat
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\DefaultIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\DefaultIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Application
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\ifexec
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Topic
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mIRC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\svchost
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\svchost\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svchost
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svchost\Parameters
HKEY_CURRENT_USER\Software\Microsoft\Microsoft Agent
HKEY_CURRENT_USER\Software\mIRC
HKEY_CURRENT_USER\Software\mIRC\Channels
HKEY_CURRENT_USER\Software\mIRC\License
HKEY_CURRENT_USER\Software\mIRC\LockOptions
HKEY_CURRENT_USER\Software\mIRC\%UserName%
HKEY_CURRENT_USER\Software\WinRAR SFX

Notes:

%UserName% is a variable that refers to the current user name.

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cha]

(Default) = "ChatFile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.chat]

(Default) = "ChatFile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic]

(Default) = "Connect"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec]

(Default) = "%1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application]

(Default) = "svchost"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec]

(Default) = "%1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command]

(Default) = ""%Windir%\temp\spoolsv\spoolsv.exe" -noconnect"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\DefaultIcon]

(Default) = ""%Windir%\temp\spoolsv\spoolsv.exe""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile]

(Default) = "Chat File"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Topic]

(Default) = "Connect"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\ifexec]

(Default) = "%1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Application]

(Default) = "svchost"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec]

(Default) = "%1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\command]

(Default) = ""%Windir%\temp\spoolsv\spoolsv.exe" -noconnect"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\DefaultIcon]

(Default) = ""%Windir%\temp\spoolsv\spoolsv.exe""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc]

(Default) = "URL:IRC Protocol"
EditFlags = 02 00 00 00
URL Protocol = ""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

spoolsv = ""%Windir%\temp\spoolsv\spoolsv.exe""

so that spoolsv.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mIRC]

DisplayName = "mIRC"
UninstallString = ""%Windir%\temp\spoolsv\spoolsv.exe" -uninstall"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\svchost\Parameters]

Application = ""%Windir%\temp\spoolsv\spoolsv.exe""
AppDirectory = ""%Windir%\temp\spoolsv\spoolsv.exe""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svchost\Parameters]

Application = ""%Windir%\temp\spoolsv\spoolsv.exe""
AppDirectory = ""%Windir%\temp\spoolsv\spoolsv.exe""

[HKEY_CURRENT_USER\Software\Microsoft\Microsoft Agent]

VoiceEnabled = 0x00000001
UseVoiceTips = 0x00000001
KeyHoldHotKey = 0x00000091
UseBeepSRPrompt = 0x00000001
SRTimerDelay = 0x000007D0
SRModeID = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
EnableSpeaking = 0x00000001
UseBalloon = 0x00000001
UseCharacterFont = 0x00000001
UseSoundEffects = 0x00000001
SpeakingSpeed = 0x00000005
PropertySheetX = 0x000F423F
PropertySheetY = 0x000F423F
PropertySheetWidth = 0x00000000
PropertySheetHeight = 0x00000000
PropertySheetPage = 0x00000000
CommandsWindowLeft = 0xFFFFFFFF
CommandsWindowTop = 0xFFFFFFFF
CommandsWindowWidth = 0x000000C8
CommandsWindowHeight = 0x000000C8
CommandsWindowLocationSet = 0x00000000

[HKEY_CURRENT_USER\Software\mIRC\%UserName%]

(Default) = "WhiteHat"

[HKEY_CURRENT_USER\Software\mIRC\LockOptions]

(Default) = "0,4096"

[HKEY_CURRENT_USER\Software\mIRC\License]

(Default) = "5662-546732"

[HKEY_CURRENT_USER\Software\WinRAR SFX]

C%%Windows%temp%spoolsv% = "%Windir%\temp\spoolsv\"

Other details

Analysis of the file resources indicate the following possible country of origin:

Russian Federation

The following Host Names were requested from a host database:

201.116.125.146
Lelystad.NL.EU.UnderNet.Org

There was application-defined hook procedure installed into the hook chain (e.g. to monitor keystrokes). The installed hook is handled by the following module:

%Windir%\temp\spoolsv\spoolsv.exe

Outbound traffic (potentially malicious)

Attention! There was a new connection established with a remote IRC Server. The generated outbound IRC traffic is provided below:

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.