Home Malware Programs Backdoors Backdoor.Zemra

Backdoor.Zemra

Posted: June 28, 2012

Threat Metric

Threat Level: 2/10
Infected PCs: 24
First Seen: June 28, 2012
OS(es) Affected: Windows

Backdoor.Zemra is a Trojan that opens a back door to gain commands from the following remote command-and-control (C&C) server and drops more files onto the infected computer. Once executed, Backdoor.Zemra creates a few files on the compromised PC. Backdoor.Zemra modifies and deletes several files. Backdoor.Zemra creates several registry entries so that it can run automatically every time you start Windows. Backdoor.Zemra also creates the certain registry entry to involve itself in the list of programs authorized by the Windows firewall. Backdoor.Zemra creates the particular mutex 'Global\CLR_RESERVED_MUTEX_NAME' to assure that only one copy of itself is executed. Backdoor.Zemra transfers system information to a remote location that includes OS version, language and computer name.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



%Program Files%\Common Files\lsmass.exe File name: %Program Files%\Common Files\lsmass.exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
%UserProfile%\Application Data\wscntfy.exe File name: %UserProfile%\Application Data\wscntfy.exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
%UserProfile%\Application Data\Microsoft\CryptnetUrlCahce\Content\[THREAT FILE NAME] File name: %UserProfile%\Application Data\Microsoft\CryptnetUrlCahce\Content\[THREAT FILE NAME]
Group: Malware file
%UserProfile%\Application Data\Microsoft\CryptnetUrlCache\MetaData\[THREAT FILE NAME] File name: %UserProfile%\Application Data\Microsoft\CryptnetUrlCache\MetaData\[THREAT FILE NAME]
Group: Malware file

Registry Modifications

The following newly produced Registry Values are:

HKEY..\..\{Value}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Windows-Audio Driver" = "%UserProfile%\Application Data\wscntfy.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\"Windows-Network Component" = "%Program Files%\Common Files\lsmass.exe"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\"%UserProfile%\Application Data\wscntfy.exe" = "%UserProfile%\Application Data\wscntfy.exe:*:Enabled:Windows-Audio DriverHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CLSID}\"IsInstalled" = "1"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"Hidden" = "2"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"EnableLUA" = "0"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"EnableBalloonTips" = "0"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CLSID}\"StubPath" = "%UserProfile%\Application Data\wscntfy.exe -r"
Loading...