Troj/Zapchas-M is a backdoor Trojan which allows a remote intruder to gain access and control over the computer.
Troj/Zapchas-M uses a modified IRC client to provide a Trojan backdoor server. The Trojan is capable of scanning random IP addresses and flooding them with packets.
Troj/Zapchas-M can be commanded to download and run files via the IRC network.
When Troj/Zapchas-M is installed the following files are created:
<System>\astem.as - detected as Troj/Zapchas-M
<System>\bstem.as - detected asd Troj/Zapchas-M
<System>\dstem.as - a clean configuration file (safe to remove)
<System>\oystem.er - detected as Troj/Zapchas-M
<System>\securay.exe - a legitimate application to hide windows
<System>\tskdbg.exe - detected as Troj/Zapchas-M
<System>\ugsk.tbx - a clean configuration file (safe to remove)
The following registry entries are created to run the Trojan on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
RVC6Player
<System>\tskdbg.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RVC6Player
<System>\tskdbg.exe
The following registry entries are set, so that Troj/Zapchas-M is run when files with extensions of CHA and IRC are opened/launched:
HKCR\ChatFile\Shell\open\command
(default)
"<System>\tskdbg.exe"
HKCR\irc\Shell\open\command
(default)
"<System>\tskdbg.exe"
Registry entries are set as follows:
HKCR\ChatFile\DefaultIcon
(default)
"<System>\tskdbg.exe"
HKCR\irc\DefaultIcon
(default)
"<System>\tskdbg.exe"