Threat Database Backdoors Backdoor.Zemra

Backdoor.Zemra

By JubileeX in Backdoors

Backdoor.Zemra is a Trojan that opens a back door to receive commands from the remote command-and-control (C&C) server and distributes more files onto the affected PC. When activated, Backdoor.Zemra creates several files on the corrupted machine. Backdoor.Zemra modifies and deletes some files. Backdoor.Zemra also creates several registry entries so that it can load automatically whenever you boot up Windows. Backdoor.Zemra also creates the particular registry entry to include itself in the list of programs authorized by the Windows firewall. Backdoor.Zemra creates the certain mutex 'Global\CLR_RESERVED_MUTEX_NAME' to guarantee that only one copy of itself is run. Backdoor.Zemra transmits system information to a remote location that involves operating system version, language and computer name.

File System Details

Backdoor.Zemra may create the following file(s):
# File Name Detections
1. %UserProfile%\Application Data\wscntfy.exe
2. %Program Files%\Common Files\lsmass.exe
3. %UserProfile%\Application Data\Microsoft\CryptnetUrlCache\MetaData\[THREAT FILE NAME]
4. %UserProfile%\Application Data\Microsoft\CryptnetUrlCahce\Content\[THREAT FILE NAME]

Registry Details

Backdoor.Zemra may create the following registry entry or registry entries:
rofile%\Application Data\wscntfy.exe" = "%UserProfile%\Application Data\wscntfy.exe:*:Enabled:Windows-Audio Driver"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"EnableLUA" = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\"Windows-Network Component" = "%Program Files%\Common
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\"%UserP
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"Hidden" = "2"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CLSID}\"StubPath" = "%UserProfile%\Application Data\wscntfy.exe -r"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Windows-Audio Driver" = "%UserProfile%\Application Data\wscntfy.exe"
Files\lsmass.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CLSID}\"IsInstalled" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"EnableBalloonTips" = "0"

Trending

Most Viewed

Loading...