Win32/Zehbilas [Threat Name] go to Threat

Win32/Zehbilas.A [Threat Variant Name]

Category worm
Size 57344 B
Aliases Trojan-Dropper.Win32.Drooptroop.jlx (Kaspersky)
  VirTool:Win32/Obfuscator.KH (Microsoft)
  TROJ_IRCBOT.DAQ (TrendMicro)
Short description

Win32/Zehbilas.A is a worm that spreads via IM networks. The worm contains a backdoor. It can be controlled remotely. The file is run-time compressed using UPX .

Installation

When executed, the worm copies itself into the following location:

  • %appdata%\­Microsoft-Update-Service-2568-6479-5400\­winrsnmgr.exe (57344 B)

The %appdata%\Microsoft-Update-Service-2568-6479-5400\ folder may have the System (S) and Hidden (H) attributes set in attempt to hide the folder in Windows Explorer.


In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­Run]
    • "WindowsLiveUpdateServices" = "%appdata%\­Microsoft-Update-Service-2568-6479-5400\­winrsnmgr.exe"

The following Registry entry is set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%appdata%\­Microsoft-Update-Service-2568-6479-5400\­winrsnmgr.exe" = "%appdata%\­Microsoft-Update-Service-2568-6479-5400\­winrsnmgr.exe:*:Enabled:WindowsLiveUpdateServices"

The performed data entry creates an exception in the Windows Firewall program.

Spreading via IM networks

The worm sends links to Xfire Gaming Instant Messenger, Google Talk, ICQ, Paltalk, Trition, MSN Messenger users.


The message contains a URL link to a website containing malware.


If the link is clicked a copy of the worm is downloaded.


The messages may contain any of the following texts:

  • I'm never going to take picture of myself again! They always turn out like this.
  • Tell me what you think of this picture I edited. Thanks!
  • This is the funniest photo ever! What do you think?
  • Tell me what you think of this photo of me?
  • I just got a new hair cut! Tell me what you think?
  • I don't think I will ever sleep again after seeing this photo! Take a look.
  • I cant believe I still have this picture of you from last winter. Do you remember it?
  • Should I make this my default picture? Or does it look too evil?
  • My parents are going to kill me, if they find this picture. But does it look bad?
  • das foto solltest du wirklich sehen :D
  • hahaha schau mal das foto an :D
  • Kennst du das Foto schon?
  • unglaublich was leute für fotos von sich machen schau mal
  • wie findest du dieses foto :D
  • ich hoffe dieses bild werden meine eltern niemals finden
  • hab neue haare, wie schaut ich nun aus? bitte ehrlich sein!
  • wie findest du mein neues foto?
  • wie ich die alte zeiten vermisse..
  • ich hoffe ich werde nicht so aussehen in 10 jahren :(
  • wie findest du das foto
  • mira esta foto :D
  • bekijk deze foto :D
  • olhar para esta foto :D
  • se på dette bildet :D
  • kil baxmaq
  • uita-te la aceasta fotografie :D
  • katso tätä kuvaa :D
  • spojrzec na to zdjecie :D
  • podívejte se na mou fotku :D
  • ser på dette billede :D
  • nézd meg a képet :D
  • pozrite sa na túto fotografiu :D
  • titta på denna bild :D
  • poglej to fotografijo :D
  • pogledaj to slike :D
  • bu resmi bakmak :D
  • Guardi questa foto :D
  • regardez cette photo :D
  • pazvelgti i si vaizda
  • nhìn vào hình
Other information

The worm connects to the following addresses:

  • x1x4x0.net
  • winhostmanager.net
  • winupdatecontol.net

The IRC protocol is used.


The worm can download and execute a file from the Internet.


The file is stored in the following location:

  • %userprofile%\­%random%.exe

The file is then executed.


The %random% represents a random number.


The worm can create and run a new thread with its own program code within the following processes:

  • regedit.exe
  • taskmgr.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.