Click Here to Install Silverlight*
United StatesChange|All Microsoft Sites
Microsoft
Security 

Malicious Software Encyclopedia: Backdoor:IRC/Zapchast.AN

Published: April 4, 2007

Backdoor:IRC/Zapchast.AN opens a backdoor on TCP port 113 and UDP port 30167, connects to an IRC channel, and downloads and installs other files. Backdoor:IRC/Zapchast.AN also includes keylogger capabilities. Some variants of Backdoor:IRC/Zapchast.AN are infected with the Win32/Parite virus. Win32/Parite infects portable executable files on local drives and accessible network shares.

**

Glossary Terms

Click the term to get the definition from our Security Glossary.

Trojan horse

virus

worm

**
On This Page
Threat OverviewThreat Overview
Aliases (Also Known As)Aliases (Also Known As)
Technical AnalysisTechnical Analysis
How to Prevent InfectionHow to Prevent Infection
How to Tell If Your Computer Is InfectedHow to Tell If Your Computer Is Infected

Threat Overview

Class/typeTrojan - Backdoor
DiscoveredOctober 7, 2008
CirculatingYes
Affected operating systems
Affected software Not specified
Infection ratingLow
Recovery difficultyModerate
Damage ratingMedium
Transmission ratingMedium

Aliases (Also Known As)

Different antivirus vendors may be using different names to refer to this malicious software. Here are some of the names currently in use by antivirus software vendors participating in the Microsoft Virus Information Alliance (VIA):

  • Norman: IRCFlood.FS
  • Sophos: Troj/Zapchas-CJ
  • Trend Micro: TROJ_DROPPER.ABU

    • Learn more about the Microsoft Virus Information Alliance.

    Technical Analysis

    Backdoor:IRC/Zapchast.AN often arrives in email disguised as a greeting card. Those who follow the link to download the card will actually be downloading a copy of the Trojan. The downloaded file may be named postcard.exe. When this file is run, it takes the following actions:
    • Drops several files in %windir%\system folder. These files include an installation of mirc (an Internet Relay Chat program), and a copy of the backdoor component, svchost.exe. Note that %windir%\system folder is not the location of the actual Windows system folder, which is located at %windir%\system32 under Windows NT, 2000, XP, and Vista. A legitimate svchost.exe exists in the \system32 folder. The following files are dropped to %windir%\system:
    fullname.txt
    ident.txt
    nicks.txt
    aliases.ini
    control.ini
    mirc.ini
    remote.ini
    script.ini
    servers.ini
    users.ini
    sup.bat
    svchost.exe (may be infected with the Win32/Parite virus)
    mirc.ico
    sup.reg
    popups.txt
    Note: %windir% signifies the name of the Windows folder. By default, on Windows Vista, XP, ME, 98 and 95, this is C:\Windows. On Windows NT/2000, the default folder is C:\Winnt.
    • Creates the following folders in %windir%\system:
    download
    logs
    sounds
    • Modifies the registry to load the dropped svchost.exe file each time Windows is started:
    Adds value: GHP Generic Host Process
    With data: %windir%\system\svchost.exe
    To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • Modifies the following registry entries:
    Set "VoiceEnabled" = "1" under key HKEY_CURRENT_USER\Software\Microsoft\Microsoft Agent
    Set "(default)" = "1174867138", under key HKEY_CURRENT_USER\Software\mIRC\DateUsed
    Set "DisplayName" = "mirc", under key HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\mIRC
    Set "(default)" = "chatfile", under key HKLM\SOFTWARE\Classes\.cha
    Set "(default)" = "chatfile", under key HKLM\SOFTWARE\Classes\.chat
    Set "(default)" = "chat file", under key HKLM\SOFTWARE\Classes\ChatFile
    Set "(default)" = ""%windir%\system\svchost.exe"", under key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\DefaultIcon
    Set "(default)" = ""%windir%\system\svchost.exe" -noconnect", under key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command
    Set "(default)" = "%1", under key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec
    Set "(default)" = "svchost", under key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application
    Set "(default)" = "%1", under key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec
    Set "(default)" = "connect", under key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic
    Set "(default)" = "url:irc protocol", under key HKEY_LOCAL_MACHINE\Software\Classes\irc
    Set "(default)" = ""%windir%\system\svchost.exe"", under key HKEY_LOCAL_MACHINE\Software\Classes\irc\DefaultIcon
    Set "(default)" = ""%windir%\system\svchost.exe" -noconnect", under key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\command
    Set "(default)" = "%1", under key HKEY_LOCAL_MACHINE\Software\Classes\irc\Shell\open\ddeexec
    Set "(default)" = "svchost", under key HKEY_LOCAL_MACHINE\Software\Classes\irc\Shell\open\ddeexec\Application
    Set "(default)" = "%1", under key HKEY_LOCAL_MACHINE\Software\Classes\irc\Shell\open\ddeexec\ifexec
    Set "(default)" = "connect", under key HKEY_LOCAL_MACHINE\Software\Classes\irc\Shell\open\ddeexec\Topic
    • Opens and listens on TCP port 113 and UDP port 30167 and joins multiple IRC channels.

    How to Prevent Infection

    Take the following steps to help prevent infection on your system:
    • Enable a firewall on your computer.
    • Get the latest computer updates.
    • Use up-to-date antivirus software.
    • Use caution with attachments and file transfers.

    Enable a firewall on your computer

    Use a third-party firewall product or turn on the Microsoft Windows XP Internet Connection Firewall.
    To turn on the Internet Connection Firewall in Windows XP
    1. Click Start, and click Control Panel.
    2. Click Network and Internet Connections. If you do not see Network and Internet Connections, click Switch to Category View.
    3. Click Change Windows Firewall Settings.
    4. Select On.
    5. Click OK.

    Get the latest computer updates

    Updates help protect your computer from viruses, worms, and other threats as they are discovered. You can use the Automatic Updates feature in Windows XP to automatically download future Microsoft security updates while your computer is on and connected to the Internet.
    To turn on Automatic Updates in Windows XP
    1. Click Start, and click Control Panel
    2. Click System.
    3. Click Automatic Updates.
    4. Select a setting. Microsoft recommends selecting Automatic. If you do not choose Automatic, but you choose to be notified when updates are ready, a notification balloon appears when new downloads are available to install. Click the notification balloon to review and install the updates.

    Use up-to-date antivirus software

    Most antivirus software can detect and prevent infection by known malicious software. To help protect you from infection, you should always run antivirus software that is updated with the latest signature files. Antivirus software is available from several sources. For more information, see http://www.microsoft.com/athome/security/downloads/default.mspx

    Use caution with attachments and file transfers

    Exercise caution with e-mail and attachments received from unknown sources, or received unexpectedly from known sources.  Use extreme caution when accepting file transfers from known or unknown sources.

    How to Tell If Your Computer Is Infected

    © 2009 Microsoft Corporation. All rights reserved. Contact Us |Terms of Use |Trademarks |Privacy Statement