TrojanDownloader:Win32/Zolpiq.D is a trojan that communicates with a remote server and attempts to download other files.
Installation
When run, TrojanDownloader:Win32/Zolpiq.D copies an existing Windows system file "mspmsnsv.dll" as "rappmts.hlp". The original file is replaced when the trojan creates the following files:
-
<system folder>\tpgenlic.dll
-
<system folder>\mspmsnsv.dll
The dropped component "mspmsnsv.dl" replaces the previously existing system file and runs as a service via registry changes such as the following:
In subkey: HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_WMDMPMSN
Sets value: "NextInstance"
To data: 01, 00, 00, 00
In subkey: HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_WMDMPMSN\0000
Sets value: "Class"
To data: "LegacyDriver"
Sets value: "ClassGUID"
To data: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
Sets value: "ConfigFlags"
To data: 00, 00, 00, 00
Sets value: "DeviceDesc"
To data: "Portable Media Serial Number Service"
Sets value: "Legacy"
To data: 01, 00, 00, 00
Sets value: "Service"
To data: "WmdmPmSN"
In subkey: HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_WMDMPMSN\0000\Control
Sets value: "*NewlyCreated*"
To data: 00, 00, 00, 00
Sets value: "ActiveService"
To data: "WmdmPmSN"
In subkey: HKLM\SYSTEM\ControlSet001\Services\WmdmPmSN\Enum
Sets value: "0"
To data: "Root\LEGACY_WMDMPMSN\0000"
Sets value: "Count"
To data: 01, 00, 00, 00
Sets value: "NextInstance"
To data: 01, 00, 00, 00
In subkey: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WMDMPMSN
Sets value: "NextInstance"
To data: 01, 00, 00, 00
In subkey: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WMDMPMSN\0000
Sets value: "Class"
To data: "LegacyDriver"
Sets value: "ClassGUID"
To data: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
Sets value: "ConfigFlags"
To data: 00, 00, 00, 00
Sets value: "DeviceDesc"
To data: "Portable Media Serial Number Service"
Sets value: "Legacy"
To data: 01, 00, 00, 00
Sets value: "Service"
To data: "WmdmPmSN"
In subkey: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WMDMPMSN\0000\Control
Sets value: "*NewlyCreated*"
To data: 00, 00, 00, 00
Sets value: "ActiveService"
To data: "WmdmPmSN"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\WmdmPmSN\Enum
Sets value: "0"
To data: "Root\LEGACY_WMDMPMSN\0000"
Sets value: "Count"
To data: 01, 00, 00, 00
Sets value: "NextInstance"
To data: 01, 00, 00, 00
The trojan runs the component "mspmsnsv.dll" by starting the service "WmdmPmSN" which references the trojan file. This component loads the other trojan component "tpgenlic.dll".
The trojan creates a backup copy of itself as the following:
Payload
Modifies a file
TrojanDownloader:Win32/Zolpiq.D modifies the following file to load the component "tpgenlic.dll":
Communicates with a remote server
TrojanDownloader:Win32/Zolpiq.D attempts to connect with a server named "369p.mail-signin.com" using TCP port 443 and may download additional files.
Analysis by Tim Liu