Troj/Zapchas-BJ

Please follow the instructions for removing Trojans.

Troj/Zapchas-BJ is a multi-component backdoor Trojan that drops the virus W32/Parite-B.

Troj/Zapchas-BJ runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

Troj/Zapchas-BJ includes functionality to access the internet and communicate with a remote server via HTTP. Troj/Zapchas-BJ is a multi-component backdoor Trojan that drops the virus W32/Parite-B.

Troj/Zapchas-BJ runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

Troj/Zapchas-BJ includes functionality to access the internet and communicate with a remote server via HTTP.

When Troj/Zapchas-BJ is installed the following files are created:

<System>\aliases.ini
<System>\control.ini
<System>\fullname.txt
<System>\ident.txt
<System>\mirc.ico
<System>\mirc.ini
<System>\nicks.txt
<System>\popups.txt
<System>\remote.ini
<System>\script.ini
<System>\servers.ini
<System>\sup.bat
<System>\sup.reg
<System>\svchost.exe
<System>\users.ini
<System>\yaddress.ico

The file svchost.exe is a legitimate mIRC application, infected with the virus W32/Parite-B. The file script.ini is a malicious mIRC configuration file and is also detected as Troj/Zapchas-BJ. The other files are harmless.

The following registry entries are set or modified, so that svchost.exe is run when files with extensions of CHA and IRC are opened/launched:

HKCR\ChatFile\Shell\open\command
(default)
<System>\svchost.exe" -noconnect

HKCR\irc\Shell\open\command
(default)
<System>\svchost.exe" -noconnect

Registry entries are set as follows:

HKCR\ChatFile\DefaultIcon
(default)
<System>\svchost.exe

HKCR\irc\DefaultIcon
(default)
<System>\svchost.exe

Registry entries are created under:

HKCU\Software\Microsoft\Microsoft Agent\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mIRC\