Follow:

 

TrojanDropper:Win32/Zolpiq.A


TrojanDropper:Win32/Zolpiq.A is a trojan that installs other malware detected as TrojanProxy:Win32/Zolpiq.A.


What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.
 
This malware may make lasting changes by replacing and renaming Windows system files. This action will NOT be restored by detecting and removing this threat. To return an infected computer to its pre-infected state, files renamed and moved by this malware must be recovered from backup. The malware stores a backup of the non-malicious file "mspmsnsv.dll" as the following:
  • %ProgramFiles%\Common Files\bak.dll
 
Copy this file to the Windows system folder as "mspmsnsv.dll". Commonly the folder is located at the following path:
  • C:\Windows\System32\

Threat behavior

TrojanDropper:Win32/Zolpiq.A is a trojan that installs other malware detected as TrojanProxy:Win32/Zolpiq.A/URL].

Installation

When run, this trojan drops the following files:

  • %TEMP%\e.tmp - non-malicious copy of the Windows system file "sfc.dll"
  • %ProgramFiles%\Common Files\bak.dll - copy of the Windows system file "mspmsnsv.dll"
  • <system folder>\dllcache\mspmsnsv.dll - TrojanProxy:Win32/Zolpiq.A) which can result in the escalation of privileges.

Connects with remote servers

The malware attempts to connect with the following IRC servers with TCP port 443 to upload stolen data:

  • heyouh.ignorelist.com
  • cvabu.dyndns-pics.com
  • whiteshark.dyndns-server.com
  • redhouse123.dyndns.info
  • liciayee.dyndns-free.com

Analysis by Jaime Wong


Symptoms

There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptoms.

Prevention


Alert level: Severe
First detected by definition: 1.103.1373.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: May 10, 2011
This entry was first published on: May 31, 2011
This entry was updated on: Jun 08, 2011

This threat is also detected as:
  • TrojanDropper:Win32/Swofi.A (other)
  • TR/Drop.Small.hdo (Avira)
  • Trojan-Dropper.Win32.Small.hdo (Kaspersky)