Threat behavior
TrojanDropper:Win32/Zegost.B is a trojan that drops and installs
Backdoor:Win32/Zegost.F and changes registry data to load the dropped malware as a service.
Installation
This trojan may be installed by other malware. When run, it drops a copy of
Backdoor:Win32/Zegost.F as the following:
- %SystemRoot%\System32\<random>.cc3 (e.g. "vegpq.cc3")
Payload
Replaces existing service
TrojanDropper:Win32/Zegost.B identifies the names of all system services that share the process "svchost.exe" via the following registry subkey:
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\Netsvcs
The trojan attempts to locate the first service that is both disabled and stopped. Once found, the trojan creates a backup of the associated registry data as the following data file:
- %SystemRoot%\System32\<random>.rdb (e.g. "F5859B27.rdb").
The found service name is then modified to load the dropped copy of
Backdoor:Win32/Zegost.F instead as in the following example:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\<Service name>
Sets value: "Start"
To data: "2"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\<Service name>\Parameters
Sets value: "seRViceDlL"
To data: "%SystemRoot%\System32\<random>.cc3" (e.g. "vegpq.cc3")
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\<Service name>\Parameters
Sets value: "seRVicemAIN"
To data: "McastRenewAddress"
TrojanDropper:Win32/Zegost.B starts the replaced service immediately.
Analysis by Shawn Wang
Prevention