Backdoor:Win32/Zonebac.gen.D is a Backdoor trojan that modifies Internet security settings and can be instructed to perform additional actions by a remote host.
Backdoor:Win32/Zonebac.gen variants are generally packed using the common packer UPX, and install as a single executable file. Other variants may include an accompanying dynamic link library (DLL) to assist with communication and other tasks. Some variants are coded using anti-debugging techniques such as string encryption and code obfuscation.
Installation
In a typical infection scenario, Zonebac checks if it is already installed on the affected system, and terminates if it is found. If not found, Zonebac copies itself to the Windows system folder and modifies the registry so it loads at each Windows startup, as in the following example where this variant has copied itself to <system folder>\lsasss.exe:
Adds value: Lexmark_X79-55
With data: <system folder>\lsasss.exe
Within subkeys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
This trojan creates a mutual exclusion object (mutex) with the following unique name, and exits if it already exists to avoid multiple executions: {FA531CC1-0497-11d3-A180-3333052276C3E}.
Zonebac drops the following files for its own use:
%Temp%\abc123.pid
%Temp%\<random 8 characters or numbers 0-9A-F>
The trojan checks for the presence of the following security-related processes:
ad-watch.exe
almon.exe
alsvc.exe
aluschedulersvc.exe
ashdisp.exe
ashmaisv.exe
ashserv.exe
ashwebsv.exe
avcenter.exe
avciman.exe
avengine.exe
avesvc.exe
avgnt.exe
avguard.exe
avp.exe
bdagent.exe
bdmcon.exe
ca.exe
caissdt.exe
cavrid.exe
cavtray.exe
ccapp.exe
ccetvmgr.exe
cclaw.exe
ccsetmgr.exe
clamtray.exe
clamwin.exe
counterspy.exe
dpasnt.exe
firewallntservice.exe
fsaw.exe
fsguidll.exe
fsm32.exe
fspex.exe
guardxkickoff.exe
hsockpe.exe
isafe.exe
kav.exe
kpf4gui.exe
kpf4ss.exe
mcagent.exe
mcdetect.exe
mcshield.exe
mctskshd.exe
mcupdate.exe
mcvsescn.exe
mcvsshld.exe
mpeng.exe
mpfagent.exe
mpfservice.exe
mpftray.exe
mscorsvw.exe
msfwsvc.exe
mskagent.exe
msksrvr.exe
msmpsvc.exe
msmsgs.exe
mxtask.exe
navapsvc.exe
nip.exe
nipsvc.exe
njeeves.exe
nod32krn.exe
nod32kui.exe
npfmsg2.exe
nscsrvce.exe
nvcoas.exe
nvcsched.exe
oasclnt.exe
pavfnsvr.exe
pavprsrv.exe
pnmsrv.exe
psimsvc.exe
pskmssvc.exe
PXAgent.exe
pxconsole.exe
savservice.exe
scfmanager.exe
scfservice.exe
scftray.exe
sndsrvc.exe
spbbcsvc.exe
spysweeper.exe
spysweeperui.exe
srvload.exe
ssu.exe
sunprotectionserver.exe
sunserver.exe
swdoctor.exe
tpsrv.exe
tsantispy.exe
vba32ldr.exe
vir.exe
vrmonnt.exe
vrmonsvc.exe
vsmon.exe
vsserv.exe
webproxy.exe
webrootdesktopfirewall.exe
winssnotify.exe
wmiprvse.exe
xcommsvr.exe
zanda.exe
zlclient.exe
zlh.exe
Payload
Modifies System Security Settings
The trojan modifies the registry to add these external Web sites to the Internet Explorer trusted site list:
whataboutadog.com
doginhispen.com
88.80.7.66
Zonebac.D modifies the Web browser Internet Explorer security settings by altering numerous values in "Zone 2" of Internet Explorer. Zone 2 is regarded by Internet Explorer as "This zone contains web sites that you trust not to damage your computer or your files." The trojan alters the following values in Zone 2 in this subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
1001
1004
1200
1201
1206
1400
1402
1405
1406
1407
1601
1604
1605
1606
1607
1608
1609
1800
1802
1803
1804
1805
1806
1807
1808
1809
1A00
1A02
1A03
1A04
1A05
1A06
1A10
1C00
1E05
2000
2001
2004
2100
2101
2102
2200
2201
2300
It makes further modifications to the following registry entries to lower Internet Explorer security settings to below default levels.
Modifies values:
CurrentLevel = 0x10000
Flags = 0x43
MinLevel = 0x10000
RecommendedLevel = 0x1000
Within subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
Backdoor Functionality
After Zonebac has lowered the security settings on the compromised machine, it may connect to the following remote sites:
a.whataboutarabit.com
whataboutadog.com
doginhispen.com
88.80.7.66
When connected, it may then attempt to perform the following actions:
Upload general computer configuration information such as operating system, security products installed, service pack or patch level data and other information
Update malware
Download additional files
Additional Information
In an attempt to evade firewalls, depending on its intent, the backdoor contact the sites mentioned previously using Internet Explorer. To prevent users from seeing the Internet Explorer windows, the Backdoor launches Internet Explorer on a different desktop that the backdoor creates named "NEW_DESKTOP".
