Troj/Zapchas-BJ is a multi-component backdoor Trojan that drops the virus W32/Parite-B.
Troj/Zapchas-BJ runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
Troj/Zapchas-BJ includes functionality to access the internet and communicate with a remote server via HTTP.
Troj/Zapchas-BJ is a multi-component backdoor Trojan that drops the virus W32/Parite-B.
Troj/Zapchas-BJ runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
Troj/Zapchas-BJ includes functionality to access the internet and communicate with a remote server via HTTP.
When Troj/Zapchas-BJ is installed the following files are created:
<System>\aliases.ini
<System>\control.ini
<System>\fullname.txt
<System>\ident.txt
<System>\mirc.ico
<System>\mirc.ini
<System>\nicks.txt
<System>\popups.txt
<System>\remote.ini
<System>\script.ini
<System>\servers.ini
<System>\sup.bat
<System>\sup.reg
<System>\svchost.exe
<System>\users.ini
<System>\yaddress.ico
The file svchost.exe is a legitimate mIRC application, infected with the virus W32/Parite-B. The file script.ini is a malicious mIRC configuration file and is also detected as Troj/Zapchas-BJ. The other files are harmless.
The following registry entries are set or modified, so that svchost.exe is run when files with extensions of CHA and IRC are opened/launched:
HKCR\ChatFile\Shell\open\command
(default)
<System>\svchost.exe" -noconnect
HKCR\irc\Shell\open\command
(default)
<System>\svchost.exe" -noconnect
Registry entries are set as follows:
HKCR\ChatFile\DefaultIcon
(default)
<System>\svchost.exe
HKCR\irc\DefaultIcon
(default)
<System>\svchost.exe
Registry entries are created under:
HKCU\Software\Microsoft\Microsoft Agent\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mIRC\