Follow:

 

Backdoor:Win32/Zegost.AD


Backdoor:Win32/Zegost.AD is malware that drops a backdoor trojan in your computer. The backdoor trojan is detected as Backdoor:Win32/Zegost.X.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

Threat behavior

Backdoor:Win32/Zegost.AD is malware that drops a backdoor trojan in your computer. The backdoor trojan is detected as Backdoor:Win32/Zegost.X.

Installation

Backdoor:Win32/Zegost.AD copies itself in your computer as the following file:

%TEMP%\kbdmgr.exe

It also creates the following shortcut, which points to its copy:

<startup folder>\kbdmgr.lnk

Note: <startup folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the Startup folder for Windows XP and 2003 is '%USERPROFILE%\Start Menu\Programs\Startup'. For Windows Vista and 7, the default location is '%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'.

It also creates the following mutex:

"WuSh B- Is Running!"

Payload

Deletes security-related files

Backdoor:Win32/Zegost.AD attempts to delete Kaspersky antivirus files.

Drops another malware

Backdoor:Win32/Zegost.AD creates the following file, then injects it into the "explorer.exe" process:

%TEMP%\kbdmgr.dll

This file is detected as Backdoor:Win32/Zegost.X.

Analysis by Patrik Vicol


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following files:
    %TEMP%\kbdmgr.exe
    <startup folder>\kbdmgr.lnk
  • Your Kaspersky antivirus program may fail to function as normal.

Prevention


Alert level: Severe
First detected by definition: 1.127.35.0
Latest detected by definition: 1.179.1432.0 and higher
First detected on: May 16, 2012
This entry was first published on: May 31, 2012
This entry was updated on: Jul 03, 2012

This threat is also detected as:
  • TROJ_SPNR.30EE12 (Trend Micro)
  • Trojan-Spy.Win32.KeyLogger.rli (Kaspersky)