How to Prevent and Remove the Backdoor.IRC.Zapchast.zwrc

Bookmark and Share

 

1. What is the Backdoor.IRC.Zapchast.zwrc

Backdoor.IRC.Zapchast.zwrc is a type of backdoor virus that can provide an attacker with access to, and control of, an infected computer. Backdoor.IRC.Zapchast.zwrc is a PE executable. Usually, Backdoor.IRC.Zapchast.zwrc may be packed with UPX, Unpacked, the code size is 710kb. Normally, Backdoor.IRC.Zapchast.zwrc is spreaded through a website, or even via instant Messengers (IM) such Yahoo, MSN, Skype and ICQ.

 

When Backdoor.IRC.Zapchast.zwrc file is started, it copies itself as a file named something similar to “Hacker.com.cn.exe” in the Windows System folder and then uses the following processes to make Backdoor.IRC.Zapchast.zwrc itself to look like a valid Windows program.


Alias: Backdoor.Trojan [PCTools], Mal/Zapchas-A [Sophos],Backdoor. IRC.ZGS [Ikarus], Dropper/Malware.788797 [AhnLab]

 

2.Technical Details:

 

a. The following files were created in the system:

 

  • The following files were created in the system:
# Filename(s) File Size
1 [file and pathname of the sample #1] 788,797 bytes
2 %Windir%\Temp\history\aliases.ini 11 bytes
3 %Windir%\Temp\history\away.txt 132 bytes
4 %Windir%\Temp\history\baby.mrc 10,426 bytes
5 %Windir%\Temp\history\control.ini 130 bytes
6 %Windir%\Temp\history\feel.reg 1,260 bytes
7 %Windir%\Temp\history\firefox.exe 1,790,464 bytes
8 %Windir%\Temp\history\fullname.txt 2,204 bytes
9 %Windir%\Temp\history\gain.bat 157 bytes
10 %Windir%\Temp\history\ident.txt 232,894 bytes
11 %Windir%\Temp\history\jumbo.ico 5,694 bytes
12 %Windir%\Temp\history\lord.mrc 1,418 bytes
13 %Windir%\Temp\history\mirc.ini 3,176 bytes
14 %Windir%\Temp\history\remote.ini 4,182 bytes
15 %Windir%\Temp\history\servers.ini 878 bytes
16 %Windir%\Temp\history\users.ini 289 bytes
  • Note:
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
  • The following directories were created:
    • %Windir%\Temp\history
    • %Windir%\Temp\history\download
    • %Windir%\Temp\history\logs
    • %Windir%\Temp\history\sounds

b.  Registry Modifications

    • The following Registry Keys were created:
      • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cha
      • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.chat
      • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile
      • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\DefaultIcon
      • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell
      • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open
      • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command
      • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec
      • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application
      • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec
      • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic
      • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc
      • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\DefaultIcon
      • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell
      • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open
      • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\command
      • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec
      • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Application
      • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\ifexec
      • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Topic
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mIRC
      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Firefox
      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Firefox\Parameters
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Firefox
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Firefox\Parameters
      • HKEY_CURRENT_USER\Software\Microsoft\Microsoft Agent
      • HKEY_CURRENT_USER\Software\mIRC
      • HKEY_CURRENT_USER\Software\mIRC\Channels
      • HKEY_CURRENT_USER\Software\mIRC\License
      • HKEY_CURRENT_USER\Software\mIRC\LockOptions
      • HKEY_CURRENT_USER\Software\mIRC\%UserName%
      • HKEY_CURRENT_USER\Software\WinRAR SFX
    • Notes:
      • %UserName% is a variable that refers to the current user name.
    • The newly created Registry Values are:
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cha]
        • (Default) = "ChatFile"
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.chat]
        • (Default) = "ChatFile"
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic]
        • (Default) = "Connect"
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec]
        • (Default) = "%1"
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application]
        • (Default) = "firefox"
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec]
        • (Default) = "%1"
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command]
        • (Default) = ""%Windir%\temp\history\firefox.exe" -noconnect"
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\DefaultIcon]
        • (Default) = ""%Windir%\temp\history\firefox.exe""
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile]
        • (Default) = "Chat File"
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Topic]
        • (Default) = "Connect"
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\ifexec]
        • (Default) = "%1"
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Application]
        • (Default) = "firefox"
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec]
        • (Default) = "%1"
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\command]
        • (Default) = ""%Windir%\temp\history\firefox.exe" -noconnect"
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\DefaultIcon]
        • (Default) = ""%Windir%\temp\history\firefox.exe""
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc]
        • (Default) = "URL:IRC Protocol"
        • EditFlags = 02 00 00 00
        • URL Protocol = ""
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
        • firefox = ""%Windir%\temp\history\firefox.exe""

        so that firefox.exe runs every time Windows starts
         
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mIRC]
        • DisplayName = "mIRC"
        • UninstallString = ""%Windir%\temp\history\firefox.exe" -uninstall"
      • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Firefox\Parameters]
        • Application = ""%Windir%\temp\history\firefox.exe""
        • AppDirectory = ""%Windir%\temp\history\firefox.exe""
      • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Firefox\Parameters]
        • Application = ""%Windir%\temp\history\firefox.exe""
        • AppDirectory = ""%Windir%\temp\history\firefox.exe""
      • [HKEY_CURRENT_USER\Software\Microsoft\Microsoft Agent]
        • VoiceEnabled = 0x00000001
        • UseVoiceTips = 0x00000001
        • KeyHoldHotKey = 0x00000091
        • UseBeepSRPrompt = 0x00000001
        • SRTimerDelay = 0x000007D0
        • SRModeID = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        • EnableSpeaking = 0x00000001
        • UseBalloon = 0x00000001
        • UseCharacterFont = 0x00000001
        • UseSoundEffects = 0x00000001
        • SpeakingSpeed = 0x00000005
        • PropertySheetX = 0x000F423F
        • PropertySheetY = 0x000F423F
        • PropertySheetWidth = 0x00000000
        • PropertySheetHeight = 0x00000000
        • PropertySheetPage = 0x00000000
        • CommandsWindowLeft = 0xFFFFFFFF
        • CommandsWindowTop = 0xFFFFFFFF
        • CommandsWindowWidth = 0x000000C8
        • CommandsWindowHeight = 0x000000C8
        • CommandsWindowLocationSet = 0x00000000
      • [HKEY_CURRENT_USER\Software\mIRC\%UserName%]
        • (Default) = "PeNdEjO!"
      • [HKEY_CURRENT_USER\Software\mIRC\LockOptions]
        • (Default) = "0,4096"
      • [HKEY_CURRENT_USER\Software\mIRC\License]
        • (Default) = "4660-383310"
      • [HKEY_CURRENT_USER\Software\WinRAR SFX]
        • C%%Windows%temp%history = "%Windir%\temp\history"

    c. Other details

    • There were registered attempts to establish connection with the remote hosts. The connection details are:

    Remote Host Port Number
    190.154.226.90 6667
    208.83.20.130 6667

     

    3. How-to's

    a. How to prevent the  Backdoor.IRC.Zapchast.zwrc ?

    Please update the policy basic knowledge of Sax2  in time, Once  Ax3soft sax2 detects  the communication of these trojans, it will break them and  ensure your network & business security.

    b. How to Remove the Backdoor.IRC.Zapchast.zwrc Manually?

    Step 1 : Use Registry Editor to Remove Backdoor.IRC.Zapchast.zwrc Registry Values

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cha
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.chat
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\DefaultIcon
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\DefaultIcon
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\command
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Application
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\ifexec
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Topic
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mIRC
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Firefox
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Firefox\Parameters
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Firefox
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Firefox\Parameters
    HKEY_CURRENT_USER\Software\Microsoft\Microsoft Agent
    HKEY_CURRENT_USER\Software\mIRC
    HKEY_CURRENT_USER\Software\mIRC\Channels
    HKEY_CURRENT_USER\Software\mIRC\License
    HKEY_CURRENT_USER\Software\mIRC\LockOptions
    HKEY_CURRENT_USER\Software\mIRC\%UserName%
    HKEY_CURRENT_USER\Software\WinRAR SFX


    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cha]
    (Default) = "ChatFile"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.chat]
    (Default) = "ChatFile"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic]
    (Default) = "Connect"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec]
    (Default) = "%1"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application]
    (Default) = "firefox"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec]
    (Default) = "%1"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command]
    (Default) = ""%Windir%\temp\history\firefox.exe" -noconnect"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\DefaultIcon]
    (Default) = ""%Windir%\temp\history\firefox.exe""
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile]
    (Default) = "Chat File"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Topic]
    (Default) = "Connect"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\ifexec]
    (Default) = "%1"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Application]
    (Default) = "firefox"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec]
    (Default) = "%1"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\command]
    (Default) = ""%Windir%\temp\history\firefox.exe" -noconnect"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\DefaultIcon]
    (Default) = ""%Windir%\temp\history\firefox.exe""
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc]
    (Default) = "URL:IRC Protocol"
    EditFlags = 02 00 00 00
    URL Protocol = ""
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    firefox = ""%Windir%\temp\history\firefox.exe""


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mIRC]
    DisplayName = "mIRC"
    UninstallString = ""%Windir%\temp\history\firefox.exe" -uninstall"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Firefox\Parameters]
    Application = ""%Windir%\temp\history\firefox.exe""
    AppDirectory = ""%Windir%\temp\history\firefox.exe""
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Firefox\Parameters]
    Application = ""%Windir%\temp\history\firefox.exe""
    AppDirectory = ""%Windir%\temp\history\firefox.exe""
    [HKEY_CURRENT_USER\Software\Microsoft\Microsoft Agent]
    VoiceEnabled = 0x00000001
    UseVoiceTips = 0x00000001
    KeyHoldHotKey = 0x00000091
    UseBeepSRPrompt = 0x00000001
    SRTimerDelay = 0x000007D0
    SRModeID = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    EnableSpeaking = 0x00000001
    UseBalloon = 0x00000001
    UseCharacterFont = 0x00000001
    UseSoundEffects = 0x00000001
    SpeakingSpeed = 0x00000005
    PropertySheetX = 0x000F423F
    PropertySheetY = 0x000F423F
    PropertySheetWidth = 0x00000000
    PropertySheetHeight = 0x00000000
    PropertySheetPage = 0x00000000
    CommandsWindowLeft = 0xFFFFFFFF
    CommandsWindowTop = 0xFFFFFFFF
    CommandsWindowWidth = 0x000000C8
    CommandsWindowHeight = 0x000000C8
    CommandsWindowLocationSet = 0x00000000
    [HKEY_CURRENT_USER\Software\mIRC\%UserName%]
    (Default) = "PeNdEjO!"
    [HKEY_CURRENT_USER\Software\mIRC\LockOptions]
    (Default) = "0,4096"
    [HKEY_CURRENT_USER\Software\mIRC\License]
    (Default) = "4660-383310"
    [HKEY_CURRENT_USER\Software\WinRAR SFX]
    C%%Windows%temp%history = "%Windir%\temp\history"

    Step2: Detect and Delete Other Backdoor.IRC.Zapchast.zwrc Files

    [file and pathname of the sample #1]
    %Windir%\Temp\history\aliases.ini
    %Windir%\Temp\history\away.txt
    %Windir%\Temp\history\baby.mrc
    %Windir%\Temp\history\control.ini
    %Windir%\Temp\history\feel.reg
    %Windir%\Temp\history\firefox.exe
    %Windir%\Temp\history\fullname.txt
    %Windir%\Temp\history\gain.bat
    %Windir%\Temp\history\ident.txt
    %Windir%\Temp\history\jumbo.ico
    %Windir%\Temp\history\lord.mrc
    %Windir%\Temp\history\mirc.ini
    %Windir%\Temp\history\remote.ini
    %Windir%\Temp\history\servers.ini
    %Windir%\Temp\history\users.ini

    c. How to Remove these trojans Instantly?

    Manual removal is a difficult process and it is not recommend unless you are an expert in this field. Therefore, you best defense is to download and install a reliable anti-spyware program to scan spyware on your machine. In order to detect computer threats in the easiest and fastest way possible, we advised trying the  Malwarebytes' Anti-Malware, it is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

     

    4. Appendix

    For more information, please visit  http://www.ids-sax2.com/ComputerSecurityNewsletter.htm

    		•