Threat behavior
TrojanDropper:Win32/Zirit.K is a trojan that downloads and executes arbitrary files. It may be installed by other malware that has previously compromised the affected system.
Installation
Win32/Zirit.K may be installed by other malware into a uniquely named file folder, as in the following example:
%windir%\installer\{f550f51e-4866-4df9-a3c4-a4edc6bfa4b9}\zip.dll
The file folder name is different among minor variants of this threat. The installer modifies the registry to run this copy of Win32/Zirit.K at each Windows start.
Adds value: zip
With data: "{f550f51e-4866-4df9-a3c4-a4edc6bfa4b9}"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
ShellServiceObjectDelayLoad
Adds value: "(default)"
With data: "%windir%\installer\{f550f51e-4866-4df9-a3c4-a4edc6bfa4b9}\zip.dll"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
{f550f51e-4866-4df9-a3c4-a4edc6bfa4b9}\InProcServer32
Payload
Downloads and Executes Arbitrary Files
Win32/Zirit.K may be used by malware to download and execute arbitrary files, including additional malware.
Analyzed by Hong Jia
Prevention
