Threat behavior
Backdoor:Win32/Zegost.F is a trojan that communicates with a remote server and allows remote access and control. The trojan blocks access to numerous websites, many of which are security related.
Installation
Backdoor:Win32/Zegost.F may be installed as a randomly named file by TrojanDropper:Win32/Zegost.B. Backdoor:Win32/Zegost.F runs as a system service.
Payload
Allows remote access and control
Backdoor:Win32/Zegost.F attempts to connect with a remote IP address to report its installation and send the affected computer's information, such as the following:
- LAN IP address
- machine name
- Operating System (OS) version (etc.)
Backdoor:Win32/Zegost.F retrieves commands from a remote server that may instruct the trojan to perform any of the following actions:
- Allow full access rights to files, directory and the registry
- Execute commands through a command shell session
- Capture video or audio
- Start Terminal Services
- Manage system services
- Log keystrokes
- Update or uninstall the backdoor service
Block access to certain websites
Backdoor:Win32/Zegost.F also tries to block access to following websites, many of which are security related:
um<Number>.eset.com
u<Number>.eset.com.cn
exp<Number>.eset.com
08update<Number>.jiangmin.com
update<Number>.jiangmin.com
downloads<Number>.kaspersky-labs.com
cs<Number>.duba.net
cu0<Number>.www.duba.net
rsup<Number>.rising.com.cn
dnl-<Number>.geo.kaspersky.com
iau.trendmicro.com.cn
ll002.avast.com
liveupdate.symantecliveupdate.com
mmi.explabs.net
gtm-hkg.avg.com
gtm-self.avg.com
gtm-nyc.avg.com
gtm-tnt.avg.com
guru.avg.com
update.nai.com
support.eset.com.cn
kaspersky.fastcdn.com
rsdownauto.rising.com.cn
reportq.rising.com.cn
msginfo.rising.com.cn
rsdownload.rising.com.cn
z.rising.com.cn
www.rising.com.cn
hd.duba.net
api.pc120.com
f-signs.duba.net
vi.pc120.com
ifr.duba.net
www.duba.net
push.www.duba.net
vc01.beike.cn
www.beike.cn
f-sq.beike.cn
bo.duba.net
antispy.db.kingsoft.com
softm-s.update.360safe.com
softm.update.360safe.com
www.360safe.com
www.360.cn
dl.qh-lb.com
dl.360safe.com
sdl.360safe.com
stat.sd.360.cn
w.360.cn
updateh.360safe.com
tr.p.360.cn
update-s.360safe.com
update.360safe.com
stat-s.360safe.com
stat.360safe.com
qd.code.qihoo.com
qd.code.360.cn
sdupm.360.cn
sdup.qh-lb.com
sdup.360.cn
qup.qh-lb.com
qurl.qh-lb.com
qurl.f.360.cn
u.qurl.f.360.cn
qup.f.360.cn
conf.f.360.cn
220.181.126.7
124.238.243.51
221.194.142.98
125.39.100.74
Analysis by Shawn Wang
Prevention