Follow:

You have been re-routed to the TrojanDropper:Win32/Zegost.B write up because TrojanDropper%3aWin32%2fZegost.B has been renamed to TrojanDropper:Win32/Zegost.B
 

TrojanDropper:Win32/Zegost.B


TrojanDropper:Win32/Zegost.B is a trojan that drops and installs Backdoor:Win32/Zegost.F and changes registry data to load the dropped malware as a service.


What to do now

To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

TrojanDropper:Win32/Zegost.B is a trojan that drops and installs Backdoor:Win32/Zegost.F and changes registry data to load the dropped malware as a service.
Installation
This trojan may be installed by other malware. When run, it drops a copy of Backdoor:Win32/Zegost.F as the following:
  • %SystemRoot%\System32\<random>.cc3 (e.g. "vegpq.cc3")
Payload
Replaces existing service
TrojanDropper:Win32/Zegost.B identifies the names of all system services that share the process "svchost.exe" via the following registry subkey:
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\Netsvcs
 
The trojan attempts to locate the first service that is both disabled and stopped. Once found, the trojan creates a backup of the associated registry data as the following data file:
  • %SystemRoot%\System32\<random>.rdb (e.g. "F5859B27.rdb").
 
The found service name is then modified to load the dropped copy of Backdoor:Win32/Zegost.F instead as in the following example:
 
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\<Service name>
Sets value: "Start"
To data: "2"
 
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\<Service name>\Parameters
Sets value: "seRViceDlL"
To data: "%SystemRoot%\System32\<random>.cc3" (e.g. "vegpq.cc3")
 
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\<Service name>\Parameters 
Sets value: "seRVicemAIN"
To data: "McastRenewAddress"
 
TrojanDropper:Win32/Zegost.B starts the replaced service immediately.
 
Analysis by Shawn Wang

Symptoms

Alert notifications or detections of this malware from installed antivirus or security software may be the only other symptoms.

Prevention


Alert level: Severe
First detected by definition: 1.85.1695.0
Latest detected by definition: 1.185.2843.0 and higher
First detected on: Jul 08, 2010
This entry was first published on: Jan 17, 2011
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • TR/Crypt.XDR.Gen (AVG)
  • Trojan-PSW.Win32.Bjlog.qol (Kaspersky)
  • BackDoor-CEP.gen.cn (McAfee)
  • W32/Zegost.U (Norman)
  • Backdoor.Win32.Binz.a (Rising AV)
  • Mal/Zegost-C (Sophos)
  • BKDR_ZEGOST.SMZZ (Trend Micro)