United Kingdom
  • UK Support
  • My Account
  • Renewal Centre

Bitdefender®

  • Home
  • Home Users
  • Small Business
  • Corporate Business
  • ISPs
  • News
  • About Us
  • Partners
  • Home
  • Defense Center
  • Virus Information for - Trojan.Zapchas.F
BitDefender Products
  • Home Products
  • BitDefender for your Business
About BitDefender
  • About Us
  • Company Overview

Trojan.Zapchas.F

( Backdoor.IRC.Zapchast, Trojan.Dropper, IRC/Generic Flooder, Backdoor.IRC.Cloner.ae#1, Backdoor.WinBot )
Spreading: medium
Damage: high
Size: 914 976 bytes
Discovered: 2006 Jul 07

SYMPTOMS:

  • Presence of a file named svchost.exe in the “C:\WINDOWS\system\” directory (the malware does not detect if you have windows installed in a different directory, in which case the above mentioned directory will be created) with a size of 2 000 187 bytes.
  • Presence of sup.bat in “C:\WINDOWS\system\” with size 28 bytes
  • Presence of the directories “download”, “logs” and “sounds” in the “C:\WINDOWS\system\” directory.
  • Presence of a registry key with the name “GNP Generic Host Process” with the value “C:\WINDOWS\system\svchost.exe” in the registry at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  • svchost.exe requesting connection on port 6667 (if you have a personal firewall)

TECHNICAL DESCRIPTION:

The malware comes as a self extract rar file masked as a screen saver with the name Cristina.scr having a size of 816 160 bytes. Executing this file will extract 15 files with the total size of 2 000 187 bytes in the “C:\WINDOWS\system\” directory (in case you don't have windows installed in the default directory, this will be created). It will add the program “C:\WINDOWS\system\svchost.exe” in the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run registry key with the name “GNP Generic Host Process” which was extracted from the archive. This is a customized version of the mIRC program, which will connect to a predefined IRC channel with a nick randomly chosen from a list of 313 predefined names and hide its main window.
The modified mIRC executable (svchost.exe) is infected with the Win32.Parite.B which will be activated when the executable is launched. This will try to infect other executables which may lead to random programs crashing.

The infected computers connect to the Undernet IRC network, join a channel and execute commands from some users.

 


These commands can be used to execute any program the controller wishes and perform other IRC related operations (joining channels, changing nicks, etc.)

Removal instructions:

Please let BitDefender disinfect / delete your files.

ANALYZED BY:

Attila-Mihaly Balazs, virus researcher

© 2010 BitDefender

  • Site Map
  • Legal Terms
  • Site Feedback
  • Global Sites
  • Privacy Policy

For Home Users

  • BitDefender® Total Security 2011
  • BitDefender® Internet Security 2011
  • BitDefender® Antivirus Pro 2011
  • BitDefender 2011 Product Comparison

For Small Business

  • For Small Business
  • BitDefender® Small Business Security for Desktops and File Servers
  • BitDefender® Small Business Security for Desktops, File Servers, and Exchange

News

  • BitDefender Finds IT Security Employees Likely to Disclose Sensitive Information on Social Networks
  • BitDefender Internet Security 2010 Receives Esteemed AV-Test Certification
  • BitDefender launches Total Security 2011 today to offer consumers a simplified and enhanced way to safeguard their online world

Tools & Resources

  • Free Online Virus Scanner
  • Renew Product Licence
  • Download Trial Versions
  • Download Datasheets