Follow:

 

TrojanDownloader:Win32/Zolpiq.D


TrojanDownloader:Win32/Zolpiq.D is a trojan that communicates with a remote server and attempts to download other files.


What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

TrojanDownloader:Win32/Zolpiq.D is a trojan that communicates with a remote server and attempts to download other files.
Installation
When run, TrojanDownloader:Win32/Zolpiq.D copies an existing Windows system file "mspmsnsv.dll" as "rappmts.hlp". The original file is replaced when the trojan creates the following files:
 
  • <system folder>\tpgenlic.dll
  • <system folder>\mspmsnsv.dll
 
The dropped component "mspmsnsv.dl" replaces the previously existing system file and runs as a service via registry changes such as the following:
 
In subkey: HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_WMDMPMSN
Sets value: "NextInstance"
To data: 01, 00, 00, 00
 
In subkey: HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_WMDMPMSN\0000
Sets value: "Class"
To data: "LegacyDriver"
Sets value: "ClassGUID"
To data: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
Sets value: "ConfigFlags"
To data: 00, 00, 00, 00
Sets value: "DeviceDesc"
To data: "Portable Media Serial Number Service"
Sets value: "Legacy"
To data: 01, 00, 00, 00
Sets value: "Service"
To data: "WmdmPmSN"
 
In subkey: HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_WMDMPMSN\0000\Control
Sets value: "*NewlyCreated*"
To data: 00, 00, 00, 00
Sets value: "ActiveService"
To data: "WmdmPmSN"
 
In subkey: HKLM\SYSTEM\ControlSet001\Services\WmdmPmSN\Enum
Sets value: "0"
To data: "Root\LEGACY_WMDMPMSN\0000"
Sets value: "Count"
To data: 01, 00, 00, 00
Sets value: "NextInstance"
To data: 01, 00, 00, 00
 
In subkey: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WMDMPMSN
Sets value: "NextInstance"
To data: 01, 00, 00, 00
 
In subkey: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WMDMPMSN\0000
Sets value: "Class"
To data: "LegacyDriver"
Sets value: "ClassGUID"
To data: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
Sets value: "ConfigFlags"
To data: 00, 00, 00, 00
Sets value: "DeviceDesc"
To data: "Portable Media Serial Number Service"
Sets value: "Legacy"
To data: 01, 00, 00, 00
Sets value: "Service"
To data: "WmdmPmSN"
 
In subkey: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WMDMPMSN\0000\Control
Sets value: "*NewlyCreated*"
To data: 00, 00, 00, 00
Sets value: "ActiveService"
To data: "WmdmPmSN"
 
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\WmdmPmSN\Enum
Sets value: "0"
To data: "Root\LEGACY_WMDMPMSN\0000"
Sets value: "Count"
To data: 01, 00, 00, 00
Sets value: "NextInstance"
To data: 01, 00, 00, 00
 
The trojan runs the component "mspmsnsv.dll" by starting the service "WmdmPmSN" which references the trojan file. This component loads the other trojan component "tpgenlic.dll".

The trojan creates a backup copy of itself as the following:
  • C:\RECYCLER\thumb.dat
 
Payload
Modifies a file
TrojanDownloader:Win32/Zolpiq.D modifies the following file to load the component "tpgenlic.dll":
  • <system folder>\rtutils.dll - detected as Virus:Win32/Zolpiq.B
 
Communicates with a remote server
TrojanDownloader:Win32/Zolpiq.D attempts to connect with a server named "369p.mail-signin.com" using TCP port 443 and may download additional files.
 
Analysis by Tim Liu

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following files:
    <system folder>\tpgenlic.dll
    <system folder>\mspmsnsv.dll
    C:\RECYCLER\thumb.dat
  • Alert notifications from installed antivirus software may be the only symptoms.

Prevention


Alert level: Severe
First detected by definition: 1.103.1373.0
Latest detected by definition: 1.103.1373.0 and higher
First detected on: May 10, 2011
This entry was first published on: May 10, 2011
This entry was updated on: May 11, 2011

This threat is also detected as:
  • TR/Agent.IF.3 (Avira)
  • TROJ_AGENT.MMM (Trend Micro)
  • Trojan:Win32/Agent.IF (other)