1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Trojan.Zefarch Activity

System Infected: Trojan.Zefarch Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects Trojan.Zefarch activity on compromised computer

Additional Information

When executed, the Trojan copies itself as the following file:
%Windir%\[RANDOM CHARACTERS].dll

It may also create the following files:

%UserProfile%\Application Data\Mozilla\Firefox\Extensions\chrome.manifest
%UserProfile%\Application Data\Mozilla\Firefox\Extensions\install.rdf
%UserProfile%\Application Data\Mozilla\Firefox\Extensions\chrome\content\_cfg.js
%UserProfile%\Application Data\Mozilla\Firefox\Extensions\chrome\content\c.js
%UserProfile%\Application Data\Mozilla\Firefox\Extensions\chrome\content\overlay.xul


It then creates the following registry entry so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"[RANDOM CHARACTERS]" = "rundll32.exe "%Windir%\[RANDOM CHARACTERS].dll",e"

Note: The threat monitors the above registry entry and will recreate it if it is modified or deleted.

Affected

  • Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube