W32/Bdoor-ZAR is a network worm with backdoor functionality for the Windows platform.
When first run, the worm copies itself to the system folder as cfg.exe and registers itself as a system service. W32/Bdoor-ZAR remains active whenever Windows is running.
The backdoor component accepts commands from remote users. W32/Bdoor-ZAR can be instructed to perform functions including:
perform filesystem functions (open, delete, execute)
create screen/webcam captures
log keypresses
read/write to the system registry
add/remove network shares
report available drives
play/record sounds (given availability of speakers and microphone)
W32/Bdoor-ZAR can be instructed to spread through networks.
As a result of registering as a service, the following registry entries are created:
HKLM\SYSTEM\CurrentControlSet\Services\cfg
Type
dword:00000010
HKLM\SYSTEM\CurrentControlSet\Services\cfg
Start
dword:00000002
HKLM\SYSTEM\CurrentControlSet\Services\cfg
ErrorControl
dword:00000000
HKLM\SYSTEM\CurrentControlSet\Services\cfg
ImagePath
<path to EXE> (may be encoded)
HKLM\SYSTEM\CurrentControlSet\Services\cfg
DisplayName
cfg
HKLM\SYSTEM\CurrentControlSet\Services\cfg
ObjectName
LocalSystem
HKLM\SYSTEM\CurrentControlSet\Services\cfg\Security
Security
<encoded data>
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_CFG
<Several entries>