What is TrustedSource? | Create Account | Login 
Secure Computing Corporation
 
Home  Threats and Trends  Malware Information
TrustedSource™ Query
Enter IP address, domain name or URL to check reputation/traffic patterns:
Search
 

Malware Information

Malware nameTrojan.Zapchast.AI
TypeTrojan
Affected platformWin32
Media-Typeapplication/executable
MD5 checksumC0F6543EA0C3B43F4CA0FF4A47225BB8
Static fileyes
Filesize45,056 Bytes
Alias names
(also known as)
McAfeeBackDoor-CVM
Side effects
  • Drops files
  • Drops malicious files
PropagationNo own spreading routine

Description:

Files

It creates the following directories:
• C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\
• C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\download



The following files are created:

– Non malicious files:
• C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\aliases.ini;
C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\control.ini;
C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\Desktop.ini;
C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\fullname.txt;
C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\identd.txt;
C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\instsrv.exe;
C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\mirc.ico;
C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\mirc.ini;
C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\popups.txt;
C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\remote.ini;
C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\servers.ini;
C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\svchost.exe;
C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\users.ini

– C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\a.reg Further investigation pointed out that this file is malware, too. Detected as: IRC/Cloner.BI

– C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\csrss.exe Detected as: Trojan.mIRC-593262.A

– C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\script.ini Detected as: IRC/Zapchast.AI

– C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\sup.exe Furthermore it gets executed after it was fully created. Detected as: Trojan.Runner.B

File details

Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• UPX
Secure Computing Corporate Homepage | Contact | Privacy Policy | Disclaimer

Copyright © 2007-2008 Secure Computing Corporation. All Rights Reserved.

THE DATA IS FURNISHED, "AS IS" WITHOUT ANY WARRANTY OF ANY KIND, AND SECURE COMPUTING® HEREBY DISCLAIM ALL WARRANTIES, EXPRESS, IMPLIED OR STATUTORY INCLUDING, WITHOUT LIMITATION, ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, AND ANY WARRANTIES AS TO NON-INFRINGEMENT, AND IN NO EVENT SHALL SECURE COMPUTING® BE LIABLE FOR COSTS OF PROCURING SUBSTITUTE GOODS. IN NO EVENT WILL SECURE COMPUTING® BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, INCIDENTAL, EXEMPLARY, OR OTHER DAMAGES WHETHER OR NOT SECURE COMPUTING® HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.