HOME > VIRUS ALERTS


VIRUS ALERTS

Zonebac Trojan

Original issue date: March 13, 2008

It has been observed that a trojan named Zonebac is circulating widely. It is being propagated via malicious PDF files exploiting recently disclosed vulnerabilities in Adobe Reader/Acrobat described in CIAD-2008-09 [Multiple vulnerabilities in Adobe Reader/Acrobat]. A user could be tricked to open the malicious PDF file 1.pdf via compromised advertisements appearing on legitimate Web sites or compromised Web pages containing IFRAME or JavaScript which redirects user’s browser to the malicious PDF file. It could also arrive as an attachment/link in spam emails. When user unknowingly executes this PDF file, the trojan Zonebac is dropped onto the user’s system.

Upon execution the trojan scans the infected system for collecting the information related to the running applications and replace certain registry files by a copy of itself keeping the same filename to avoid its detection. After successful installation the Trojan lowers security settings of the infected system.

Aliases: Trojan.Zonebac [Symantec]

Upon execution, the Trojan :

  • Creates the following files:
    • %Temp%\abc123.pid
    • %Temp%\abc123.dat
  • Searches for the following processes and ending itself if it finds any of them:
    • cavrid.exe,apvxdwin.exe,avciman.exe,pavprsrv.exe, pnmsrv.exe, srvload.exe swdoctor.exe,hsockpe.exe, vrmonnt.exe,firewallntservice.exe, mcdetect.exe
      mcupdmgr.exe, mcvsescn.exe, mpfservice.exe, mscifapp.exe, oasclnt.exe aluschedulersvc.exe,
      msmsgs.exe, nscsrvce.exe, symlcsvc.exe, mscorsvw.exe msfwsvc.exe, kavpf.exe, fsm32.exe,
      fsguidll.exe, ad-watch.exe, isafe.exe ca.exe,
      caissdt.exe, cavtray.exe, avp.exe, tpsrv.exe, avengine.exe pavfnsvr.exe, pavsrv51.exe,
      psimsvc.exe, pskmssvc.exe, webproxy.exe
      vir.exe, sdhelp.exe, mxtask.exe, wmiprvse.exe, vrfwsvc.exe, vrmonsvc.exe spysweeper.exe,
      spysweeperui.exe, ssu.exe, isafe.exe, vsmon.exe, lclient.exe mcagent.exe, mcshield.exe,mctskshd.exe,
      mcupdate.exe, mcvsshld.exe mpfagent.exe, mpftray.exe,mskagent.exe, msksrvr.exe,ccapp.exe,
      cetvmgr.exe ccproxy.exe, ccsetmgr.exe,
      navapsvc.exe, sndsrvc.exe, spbbcsvc.exe
      winssnotify.exe, mpeng.exe, msmpsvc.exe, dpasnt.exe, kav.exe, tsantispy.exe
      fspex.exe, fsaw.exe, msascui.exe
  • Adds the following registry subkey entry to ensures its execution on every system startup:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
      CurrentVersion\Run Lexmark_X79-55" = "%System%\
      lsasss.exe"
  • Searches for files referenced in the following registry subkeys:
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\
      CurrentVersion\Run
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
      CurrentVersion\Run
  • Copies itself as %System%\lsasss.exe.
  • It starts a hidden process to connect to the malicious URLs.
  • Modifies the following registry entries:
    "CurrentLevel" = "10000", "MinLevel" = "10000", "RecommendedLevel" = "10000"
    "Flags" = "43", "1001" = "0", "1004" = "0", "1200" =
    "0", "1201" = "0"
    "1206" = "0", "1400" = "0", "1402" = "0", "1405" = "0",
    "1406" = "0"
    "1407" = "0", "1601" = "0", "1604" = "0", "1605" = "0",
    "1606" = "0"
    "1607" = "0", "1608" = "0", "1609" = "1", "1800" = "0",
    "1802" = "0"
    "1803" = "0", "1804" = "0", "1805" = "0", "1806" = "0",
    "1807" = "0"
    "1808" = "0", "1809" = "0", "1A00" = "0", "1A02" = "0",
    "1A03" = "0"
    "1A04" = "0", "1A05" = "0", "1A06" = "0", "1A10" = "0",
    "1C00" = "30000"
    "1E05" = "30000", "2000" = "0", "2001" = "0", "2004" =
    "0", "2100" = "0"
    "2101" = "1", "2102" = "0", "2200" = "0", "2201" = "0",
    "2300" = "1"
    in the registry subkey:
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\
      CurrentVersion\Internet Settings\Zones\2
      to lower Microsoft Internet Explorer security zone settings.

In view of rapid propagation of the Zonebac Trojan, users are advised to implement the following countermeasures:

  • Do not click/open the links/attachments provided in untrusted email messages.
  • Remain cautious while visiting trusted / untrusted websites.
  • Search for the malicious files and processes created/initiated by Zonebac Trojan and delete the same.
  • Search for the registry entries mentioned above made by the Zonebac Trojan and delete the same.
  • Apply update as mentioned in Advisory of Adobe for the above mentioned vulnerabilities.
    http://www.adobe.com/support/security/advisories/apsa08-01.html
  • Keep up-to-date patches and fixes on the operating system and application software.
  • Keep up-to-date Antivirus and Antispyware signatures.

 References

http://www.symantec.com/security_response/writeup.jsp?docid=
2006-091612-5500-99&tabid=2

http://www.symantec.com/enterprise/security_response/weblog/
2008/02/pidief_a_byword_for_0day_explo.html

http://research.sunbelt-software.com/threatdisplay.aspx?name=
Trojan.Zonebac&threatid=66599

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003