Win32/Mangzamel [Threat Name] go to Threat

Win32/Mangzamel.F [Threat Variant Name]

Category trojan
Size 270336 B
Detection created Jun 10, 2015
Signature database version 11764
Short description

The trojan serves as a backdoor. It can be controlled remotely. It uses techniques common for rootkits.

Installation

The trojan is probably a part of other malware.


The trojan does not create any copies of itself.


The trojan creates the following file:

  • %system%\­drivers\­LDSUpDvr.sys (15488 B)

The trojan registers itself as a system service using the following name:

  • DCOMCheck

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%malwarefilepath%" = "%malwarefilepath%:*:Enabled:Dcom Service Checker Service"

The performed data entry creates an exception in the Windows Firewall program.

Information stealing

The following information is collected:

  • computer name
  • operating system version
  • computer IP address
  • locale
  • memory status
  • list of disk devices and their type
  • list of files/folders on a specific drive

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a URL address. The TCP protocol is used in the communication.


It may perform the following actions:

  • connect to remote computers to a specific port
  • open ports
  • set up a proxy server
  • download files from a remote computer and/or the Internet
  • send files to a remote computer
  • run executable files
  • delete files
  • shut down/restart the computer
  • send the list of files on a specific drive to a remote computer
  • send gathered information

The trojan hooks the following Windows APIs:

  • ZwOpenProcess (ntoskrnl.exe)
  • ZwQueryDirectoryFile (ntoskrnl.exe)
  • ZwDeviceIoControlFile (ntoskrnl.exe)
  • ZwQuerySystemInformation (ntoskrnl.exe)

The trojan keeps various information in the following Registry key:

  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­DCOMCheck\­parameters\­jon]

Please enable Javascript to ensure correct displaying of this content and refresh this page.