Backdoor:IRC/Zapchast.AN often arrives in email disguised as a greeting card. Those who follow the link to download the card will actually be downloading a copy of the Trojan. The downloaded file may be named postcard.exe. When this file is run, it takes the following actions:
- Drops several files in %windir%\system folder. These files include an installation of mirc (an Internet Relay Chat program), and a copy of the backdoor component, svchost.exe. Note that %windir%\system folder is not the location of the actual Windows system folder, which is located at %windir%\system32 under Windows NT, 2000, XP, and Vista. A legitimate svchost.exe exists in the \system32 folder. The following files are dropped to %windir%\system:
fullname.txt
ident.txt
nicks.txt
aliases.ini
control.ini
mirc.ini
remote.ini
script.ini
servers.ini
users.ini
sup.bat
svchost.exe (may be infected with the Win32/Parite virus)
mirc.ico
sup.reg
popups.txt
Note: %windir% signifies the name of the Windows folder. By default, on Windows Vista, XP, ME, 98 and 95, this is C:\Windows. On Windows NT/2000, the default folder is C:\Winnt.
download
logs
sounds
- Modifies the registry to load the dropped svchost.exe file each time Windows is started:
Adds value: GHP Generic Host Process
With data: %windir%\system\svchost.exe
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Modifies the following registry entries:
Adds value: "VoiceEnabled"
With data: "1"
Under key HKEY_CURRENT_USER\Software\Microsoft\Microsoft Agent
Adds value: "(default)"
WIth data: "1174867138"
Under key HKEY_CURRENT_USER\Software\mIRC\DateUsed
Adds value: "DisplayName"
With data: "mirc"
Under key: HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\mIRC
Adds value: "(default)"
With data: "chatfile"
Under key: HKLM\SOFTWARE\Classes\.cha
Adds value: "(default)"
With data: "chatfile"
Under key: HKLM\SOFTWARE\Classes\.chat
Adds value: "(default)"
With data: "chat file"
Under key: HKLM\SOFTWARE\Classes\ChatFile
Adds value: "(default)"
With data: ""%windir%\system\svchost.exe""
Under key: HKLM\SOFTWARE\Classes\ChatFile\DefaultIcon
Adds value: "(default)"
With data: ""%windir%\system\svchost.exe" -noconnect"
Under key: HKLM\SOFTWARE\Classes\ChatFile\Shell\open\command
Adds value: "(default)"
With data: "%1"
Under key: HKLM\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec
Adds value: "(default)"
With data: "svchost"
Under key: HKLM\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application
Adds value: "(default)"
With data: "%1"
Under key: HKLM\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec
Adds value: "(default)"
With data: "connect"
Under key: HKLM\Classes\ChatFile\Shell\open\ddeexec\Topic
Adds value: "(default)"
With data: url:irc protocol
Under key: HKEY_LOCAL_MACHINE\Software\Classes\irc
Adds value: "(default)"
With data: ""%windir%\system\svchost.exe""
Under key: HKLM\Software\Classes\irc\DefaultIcon
Adds value: "(default)"
WIth data: ""%windir%\system\svchost.exe" -noconnect"
Under key: HKLM\SOFTWARE\Classes\irc\Shell\open\command
Adds value: "(default)"
With data: "%1"
Under key: HKLM\Software\Classes\irc\Shell\open\ddeexec
Adds value: "(default)"
With data: "svchost"
Under key: HKLM\Software\Classes\irc\Shell\open\ddeexec\Application
Adds value: "(default)"
With data: "%1"
Under key: HKLM\Software\Classes\irc\Shell\open\ddeexec\ifexec
Adds value: "(default)"
With data: "connect"
Under key: HKLM\Software\Classes\irc\Shell\open\ddeexec\Topic
- Opens and listens on TCP port 113 and UDP port 30167 and joins multiple IRC channels.
