Troj/Zapchas-EC

Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Affected operating systems	Windows
Protection available since	2 June 2008 19:21:58 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing Trojans.

More Information

Summary
Action
More Information

When Troj/Zapchas-EC is run mIRC is installed in the <System> folder. The mIRC executable is saved as windir32.exe.

Troj/Zapchas-EC drops the following mIRC script files:

<System>\wmm2re2.dll
<System>\wmm2re3.dll

The files wmm2re2.dll and wmm2re3.dll are both detected as Troj/Zapchas-EC.

The following registry entries are created to run windir32.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
windir32
<System>\windir32.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
windir32
<System>\windir32.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
windir32
<System>\windir32.exe

The following registry entries are set or modified, so that windir32.exe is run when files with extensions of CHA and IRC are opened/launched:

HKCR\ChatFile\Shell\open\command
(default)
<System>\windir32.exe" -noconnect

HKCR\irc\Shell\open\command
(default)
<System>\windir32.exe" -noconnect

Get reports about the latest virus and spyware threats delivered to your computer

In this section

Troj/Zapchas-EC

Summary

Action

More Information