Win32/Mangzamel [Threat Name] go to Threat
Win32/Mangzamel.F [Threat Variant Name]
|Detection created||Jun 10, 2015|
|Signature database version||11764|
The trojan serves as a backdoor. It can be controlled remotely. It uses techniques common for rootkits.
The trojan is probably a part of other malware.
The trojan does not create any copies of itself.
The trojan creates the following file:
- %system%\drivers\LDSUpDvr.sys (15488 B)
The trojan registers itself as a system service using the following name:
The following Registry entries are created:
- "%malwarefilepath%" = "%malwarefilepath%:*:Enabled:Dcom Service Checker Service"
The performed data entry creates an exception in the Windows Firewall program.
The following information is collected:
- computer name
- operating system version
- computer IP address
- memory status
- list of disk devices and their type
- list of files/folders on a specific drive
The trojan attempts to send gathered information to a remote machine.
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a URL address. The TCP protocol is used in the communication.
It may perform the following actions:
- connect to remote computers to a specific port
- open ports
- set up a proxy server
- download files from a remote computer and/or the Internet
- send files to a remote computer
- run executable files
- delete files
- shut down/restart the computer
- send the list of files on a specific drive to a remote computer
- send gathered information
The trojan hooks the following Windows APIs:
- ZwOpenProcess (ntoskrnl.exe)
- ZwQueryDirectoryFile (ntoskrnl.exe)
- ZwDeviceIoControlFile (ntoskrnl.exe)
- ZwQuerySystemInformation (ntoskrnl.exe)
The trojan keeps various information in the following Registry key: