Backdoor.Zemra

Backdoor.Zemra Description

Backdoor.Zemra is a Trojan that opens a back door to receive commands from the remote command-and-control (C&C) server and distributes more files onto the affected PC. When activated, Backdoor.Zemra creates several files on the corrupted machine. Backdoor.Zemra modifies and deletes some files. Backdoor.Zemra also creates several registry entries so that it can load automatically whenever you boot up Windows. Backdoor.Zemra also creates the particular registry entry to include itself in the list of programs authorized by the Windows firewall. Backdoor.Zemra creates the certain mutex 'Global\CLR_RESERVED_MUTEX_NAME' to guarantee that only one copy of itself is run. Backdoor.Zemra transmits system information to a remote location that involves operating system version, language and computer name.

Technical Information

Registry Details

Backdoor.Zemra creates the following registry entry or registry entries:
RegistryKey
rofile%\Application Data\wscntfy.exe" = "%UserProfile%\Application Data\wscntfy.exe:*:Enabled:Windows-Audio Driver"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"EnableLUA" = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\"Windows-Network Component" = "%Program Files%\Common
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\"%UserP
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"Hidden" = "2"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CLSID}\"StubPath" = "%UserProfile%\Application Data\wscntfy.exe -r"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Windows-Audio Driver" = "%UserProfile%\Application Data\wscntfy.exe"
Files\lsmass.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CLSID}\"IsInstalled" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"EnableBalloonTips" = "0"

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.


HTML is not allowed.