You have been re-routed to the Backdoor:Win32/Zegost.F write up because Backdoor%3aWin32%2fZegost.F has been renamed to Backdoor:Win32/Zegost.F


Backdoor:Win32/Zegost.F is a trojan communicates with a remote server to allows remote access and control. The trojan blocks access to numerous websites, many of which are security related.

What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products will detect and remove this threat:
For more information on antivirus software, see

Threat behavior

Backdoor:Win32/Zegost.F is a trojan that communicates with a remote server and allows remote access and control. The trojan blocks access to numerous websites, many of which are security related.
Backdoor:Win32/Zegost.F may be installed as a randomly named file by TrojanDropper:Win32/Zegost.B. Backdoor:Win32/Zegost.F runs as a system service.
Allows remote access and control
Backdoor:Win32/Zegost.F attempts to connect with a remote IP address to report its installation and send the affected computer's information, such as the following:
  • LAN IP address
  • machine name
  • Operating System (OS) version (etc.)
Backdoor:Win32/Zegost.F retrieves commands from a remote server that may instruct the trojan to perform any of the following actions:
  • Allow full access rights to files, directory and the registry
  • Execute commands through a command shell session
  • Capture video or audio
  • Start Terminal Services
  • Manage system services
  • Log keystrokes
  • Update or uninstall the backdoor service
Block access to certain websites
Backdoor:Win32/Zegost.F also tries to block access to following websites, many of which are security related:
Analysis by Shawn Wang


System changes
The following system changes may indicate the presence of this malware:
  • An inability to reach certain security related websites such as the following:
  • Alert notifications or detections of this malware from installed antivirus or security software may be the only other symptoms.


Alert level: Severe
First detected by definition: 1.95.4180.0
Latest detected by definition: 1.203.984.0 and higher
First detected on: Jan 18, 2011
This entry was first published on: Jan 19, 2011
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Win-Trojan/Biz.2875392 (AhnLab)
  • W32/Zegost.D.gen!Eldorado (Command)
  • TR/Crypt.XPACK.Gen3 (Avira)
  • Adware.Baidu.3062 (ESET)
  • Trojan-PSW.Win32.Bjlog.koc (Kaspersky)
  • Generic.dx!uvn (McAfee)
  • Mal/Zegost-E (Sophos)
  • Adware.ADH (Symantec)
  • TROJ_REDOSD.SMC (Trend Micro)