Follow:

 

Trojan:Win32/Zues.A


Trojan:Win32/Zues.A is a trojan that connects to a certain website to possibly download and install other files. It may also gather information about the computer.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft Safety Scanner (http://go.microsoft.com/fwlink/?LinkId=212742). For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.

Threat behavior

Trojan:Win32/Zues.A is a trojan that connects to a certain website to possibly download and install other files. It may also gather information about the computer.
Installation
Upon execution, Trojan:Win32/Zues.A created the following files in the "%windir%\help" folder:
  • zeus.exe - also detected as Trojan:Win32/Zues.A
  • adprop1.hlp - file containing malware settings
  • adprop2.hlp - file containing malware settings
 
It modifies the system registry so that "zeus.exe" runs every time Windows starts:
 
Adds value: "zeus"
With data: "%windir%\help\zeus.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
 
It deletes the following file, if it exists:
%windir%\help\adprop0.hlp
 
When "zeus.exe" is run, it drops the following file in the "%windir%\help" folder:
adprop3.hlp
 
It also copies itself in the system under an already existing folder using a random file name, for example:
%windir%\Connection Wizard\foh.exe
 
It then modifies the system registry so that its dropped copy runs every time Windows starts:
 
Adds value: "spad"
With data: "%windir%\connection wizard\foh.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
 
It also creates the following registry keys:
  • HKCU\Software\tagrevenue
  • HKCU\Software\zeus
Payload
Connects to a Website
Trojan:Win32/Zues.A checks for Internet connection by contacting "www.microsoft.com".
 
If Internet connection is detected, it then connects to the following URL:
zeus.<removed>.com/log-bin/lunch_install.php?aff_id=%CXT1%&lunch_id=%CXT2%&maddr=%MAC%&action=install
 
where "CXT1" is content of the file "adprop1.hlp", "CXT2" is content of the file "adprop2.hlp" and "MAC" is the MAC address of the system's network card.
 
Downloads Files
Trojan:Win32/Zues.A attempts to connect to and download files from "zeus.<removed>.com", also using the same parameters CTX1, CTX2, and MAC.
 
It may also contact or download files from:
  • run.<removed>revenue.net
  • drag.<removed>revenue.net
 
Gathers System Information
Trojan:Win32/Zues.A is capable of performing certain actions on the system, such as the following:
  • Read the contents of the system file "autoexec.bat"
  • Read the system's phone book details
  • Enumerate program windows
  • Enumerate installed programs
  • Attempt to check if the following programs are active on the system, presumably to avoid detection:
    Olly Debugger
    Wireshark
    Ethereal Network Analyzer
 
Analysis by Patrik Vicol

Symptoms

System Changes
The following system changes may indicate the presence of this malware:
  • The presence of the following files in "%windir%\help":
    zeus.exe
    adprop1.hlp
    adprop2.hlp
    adprop3.hlp
  • The presence of the following registry modifications:
    Added value: "zeus"
    With data: "%windir%\help\zeus.exe"
    To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Prevention


Alert level: Severe
First detected by definition: 1.45.287.0
Latest detected by definition: 1.45.287.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Feb 14, 2009
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Backdoor.Win32.Agent.faf (Kaspersky)
  • Trojan.Crypt.XPACK.Gen (Sunbelt Software)
  • TROJ_ZUES.A (Trend Micro)