Follow:

You have been re-routed to the Backdoor:Win32/Zegost.F write up because Backdoor%3aWin32%2fZegost.F has been renamed to Backdoor:Win32/Zegost.F
 

Backdoor:Win32/Zegost.F


Backdoor:Win32/Zegost.F is a trojan communicates with a remote server to allows remote access and control. The trojan blocks access to numerous websites, many of which are security related.


What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products will detect and remove this threat:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

Backdoor:Win32/Zegost.F is a trojan that communicates with a remote server and allows remote access and control. The trojan blocks access to numerous websites, many of which are security related.
Installation
Backdoor:Win32/Zegost.F may be installed as a randomly named file by TrojanDropper:Win32/Zegost.B. Backdoor:Win32/Zegost.F runs as a system service.
Payload
Allows remote access and control
Backdoor:Win32/Zegost.F attempts to connect with a remote IP address to report its installation and send the affected computer's information, such as the following:
  • LAN IP address
  • machine name
  • Operating System (OS) version (etc.)
 
Backdoor:Win32/Zegost.F retrieves commands from a remote server that may instruct the trojan to perform any of the following actions:
  • Allow full access rights to files, directory and the registry
  • Execute commands through a command shell session
  • Capture video or audio
  • Start Terminal Services
  • Manage system services
  • Log keystrokes
  • Update or uninstall the backdoor service
 
Block access to certain websites
Backdoor:Win32/Zegost.F also tries to block access to following websites, many of which are security related:
 
um<Number>.eset.com
u<Number>.eset.com.cn
exp<Number>.eset.com
08update<Number>.jiangmin.com
update<Number>.jiangmin.com
downloads<Number>.kaspersky-labs.com
cs<Number>.duba.net
cu0<Number>.www.duba.net
rsup<Number>.rising.com.cn
dnl-<Number>.geo.kaspersky.com
iau.trendmicro.com.cn
ll002.avast.com
liveupdate.symantecliveupdate.com
mmi.explabs.net
gtm-hkg.avg.com
gtm-self.avg.com
gtm-nyc.avg.com
gtm-tnt.avg.com
guru.avg.com
update.nai.com
support.eset.com.cn
kaspersky.fastcdn.com
rsdownauto.rising.com.cn
reportq.rising.com.cn
msginfo.rising.com.cn
rsdownload.rising.com.cn
z.rising.com.cn
www.rising.com.cn
hd.duba.net
api.pc120.com
f-signs.duba.net
vi.pc120.com
ifr.duba.net
www.duba.net
push.www.duba.net
vc01.beike.cn
www.beike.cn
f-sq.beike.cn
bo.duba.net
antispy.db.kingsoft.com
softm-s.update.360safe.com
softm.update.360safe.com
www.360safe.com
www.360.cn
dl.qh-lb.com
dl.360safe.com
sdl.360safe.com
stat.sd.360.cn
w.360.cn
updateh.360safe.com
tr.p.360.cn
update-s.360safe.com
update.360safe.com
stat-s.360safe.com
stat.360safe.com
qd.code.qihoo.com
qd.code.360.cn
sdupm.360.cn
sdup.qh-lb.com
sdup.360.cn
qup.qh-lb.com
qurl.qh-lb.com
qurl.f.360.cn
u.qurl.f.360.cn
qup.f.360.cn
conf.f.360.cn
220.181.126.7
124.238.243.51
221.194.142.98
125.39.100.74
 
Analysis by Shawn Wang

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • An inability to reach certain security related websites such as the following:
    iau.trendmicro.com.cn
    liveupdate.symantecliveupdate.com
    guru.avg.com
    update.nai.com
    support.eset.com.cn
    kaspersky.fastcdn.com
    rsdownauto.rising.com.cn
    www.rising.com.cn
    antispy.db.kingsoft.com
    www.360safe.com
    update.360safe.com
    stat.360safe.com
  • Alert notifications or detections of this malware from installed antivirus or security software may be the only other symptoms.

Prevention


Alert level: Severe
First detected by definition: 1.95.4180.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Jan 18, 2011
This entry was first published on: Jan 19, 2011
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Win-Trojan/Biz.2875392 (AhnLab)
  • W32/Zegost.D.gen!Eldorado (Command)
  • TR/Crypt.XPACK.Gen3 (Avira)
  • Adware.Baidu.3062 (ESET)
  • Trojan-PSW.Win32.Bjlog.koc (Kaspersky)
  • Generic.dx!uvn (McAfee)
  • Mal/Zegost-E (Sophos)
  • Adware.ADH (Symantec)
  • TROJ_REDOSD.SMC (Trend Micro)