Trojan:Win32/Zues.A is a trojan that connects to a certain website to possibly download and install other files. It may also gather information about the computer.
Installation
Upon execution, Trojan:Win32/Zues.A created the following files in the "%windir%\help" folder:
- zeus.exe - also detected as Trojan:Win32/Zues.A
- adprop1.hlp - file containing malware settings
- adprop2.hlp - file containing malware settings
It modifies the system registry so that "zeus.exe" runs every time Windows starts:
Adds value: "zeus"
With data: "%windir%\help\zeus.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
It deletes the following file, if it exists:
%windir%\help\adprop0.hlp
When "zeus.exe" is run, it drops the following file in the "%windir%\help" folder:
adprop3.hlp
It also copies itself in the system under an already existing folder using a random file name, for example:
%windir%\Connection Wizard\foh.exe
It then modifies the system registry so that its dropped copy runs every time Windows starts:
Adds value: "spad"
With data: "%windir%\connection wizard\foh.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
It also creates the following registry keys:
- HKCU\Software\tagrevenue
- HKCU\Software\zeus
Payload
Connects to a Website
Trojan:Win32/Zues.A checks for Internet connection by contacting "www.microsoft.com".
If Internet connection is detected, it then connects to the following URL:
zeus.<removed>.com/log-bin/lunch_install.php?aff_id=%CXT1%&lunch_id=%CXT2%&maddr=%MAC%&action=install
where "CXT1" is content of the file "adprop1.hlp", "CXT2" is content of the file "adprop2.hlp" and "MAC" is the MAC address of the system's network card.
Downloads Files
Trojan:Win32/Zues.A attempts to connect to and download files from "zeus.<removed>.com", also using the same parameters CTX1, CTX2, and MAC.
It may also contact or download files from:
- run.<removed>revenue.net
- drag.<removed>revenue.net
Gathers System Information
Trojan:Win32/Zues.A is capable of performing certain actions on the system, such as the following:
- Read the contents of the system file "autoexec.bat"
- Read the system's phone book details
- Enumerate program windows
- Enumerate installed programs
- Attempt to check if the following programs are active on the system, presumably to avoid detection:
Olly Debugger
Wireshark
Ethereal Network Analyzer
Analysis by Patrik Vicol
