Backdoor.Zinx

Printer Friendly Page

Discovered: November 10, 2003
Updated: November 10, 2003 8:51:27 PM
Systems Affected: Windows

Backdoor.Zinx is a trojan program that allows a compromised system to be used as a proxy. It also sends system information to the remote attacker.

Discovered: November 10, 2003
Updated: November 10, 2003 8:51:27 PM
Systems Affected: Windows

Backdoor.Zinx allows a compromised system to be used as an HTTP proxy. The trojan is typically received as an HTML file containing malicious VBScript code. When the HTML file is opened in a web browser, it will drop and execute the file q.vbs on the system. This file in turn drops and executes the file x.exe. This file is a copy of Trojan.KillAV.C (MCID 2212).

Next, q.vbs will download and execute q.exe from a remote website. This then creates and executes the following files:
%Windir%\5845.exe
%Windir%\msreg.exe
%System%\svchostc.exe
%System%\svchosts.exe

The following registry entries are created so that the trojan is executed every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"msreg.exe"="%Windir%\msrege.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"putil"="%Windir%\5845.exe"

The trojan downloads configuration information from predertemined websites and runs the files svchostc.exe and svchosts.exe using this information. By default, svchostc.exe listens on TCP port 14728 and svchosts.exe listens on TCP port 24759.

The trojan then connects to a remote SMTP server and sends an email message to a hardcoded address containing the following information:
Operating system version
Registered user name
Organization name
AIM user accounts
ICQ accounts
Trillian accounts
Ghisler Windows Commander and Total Commander information
SMTP and POP email accounts and passwords