HOME > ADVISORIES


   ADVISORIES

CERT-In Advisory CIAD-2007-27
Backdoor Trojan Propagating through Email Greetings

Download PDF version

Original issue date: May 24, 2007

Severity Rating: High

Description

It has been observed that an IRC based Backdoor Trojan known as Zapchast is propagating widely through emails. The email contains malicious link to the malware. Messages with the malicious link have also been posted to forums to infect innocent user. Malcious emails pretend to be coming from Greetings.com with the subject line “ Hey, you have a new Greeting!!! ” . The Email persuade innocent user to click on the link to see the greeting card pretending to be sent by a friend.

The emails Circulating has the following content:

The Link in the email goes to:
http:SLASH SLASH web2 DOT pickdti DOTcom
and download malicious file postcard.gif.exe .

The malicious file is detected as VBS:Malware(Avast), IRC/Backdoor.Flood(AVG), Trojan.IRC-Script-33(ClamSV), Win32.IRC.Zapchast(eSafe), Backdoor.IRC.Zapchast(FSecure), IRC/Flood.b(McAfee), Backdoor:IRC/Zapchast.AN(Microsoft), Troj/Zapchas-CR(Sophos), IRC Trojan(Symantec), TROJ_ZAPCHAS.BU(Trend Micro).

  • On execution postcard.gif.exe drops following files and folders in the C:\Windows\system folder:

    ident.txt, nicks.txt, us3r.txt
    aliases.ini, control.ini, mirc.ini, remote.ini, script.ini, servers.ini, users.ini
    sup.bat, mirc.ico, sup.reg
    svchost.exe
    logs, sounds, download


 

  • postcard.gif.exe drops IRC chat client mIRC with the name svchost.exe in C:\Windows\System folder.
  • sup.dat and sup.reg files are used by the malicious file to create registry entry to make sure the execution of the svchost.exe at every system startup.

    6681 7.09140396 regedit.exe:1788 CreateKey HKLM\Software\Microsoft\Windows\CurrentVersion\Run SUCCESS Access: 0x2000000
    6682 7.09380341 regedit.exe:1788 SetValue
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\GNP Generic Host Process SUCCESS "C:\WINDOWS\system\SVCHOST.EXE"
  • IRC chat client mIRC with the name svchost.exe tries to connect to IRC server listed in the configuration file servers.ini
  • svchost.exe accesses the configuration files aliases.ini, control.ini, mirc.ini, remote.ini, script.ini, users.ini for IRC commands and for communication with the IRC servers listed in servers.ini

This enables remote attacker to make the infected system as a bot and use the system for malicious activities.

In view of high damage potential of this malware users are advised to implement following countermeasures:

  • Keep up-to-date patches and fixes on the operating system.
    and application software.
  • Keep up-to-date Antivirus and Antispyware signatures.
  • Do not follow links in the email.
  • Block port TCP 6667 on firewall.
  • Block ports that are not needed at perimeter.

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003