Troj/Zcrew

Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing Trojans.

Please read the instructions for removing Trojans.

More Information

Summary
Action
More Information

Troj/Zcrew is a backdoor Trojan that arrives as an self-extracting archive.

Troj/Zcrew propagates over the internet, penetrating NT-based computers with weak username/password combinations.

There are two variants, which drop different files after a successful log on.

Variant 1: drops the following files to winnt\system32:
bootdrv.dll explorer.exe iischace.dll libparse.exe navdb.dbx psexec.exe rcfg.ini rconnect.conf rconnect.exe secure.bat servudaemon.ini svchost32.exe v32driver.bat web.swf

Variant 2: drops the following files to winnt\web\printers\:
activeX.ocx bootdrv.dll explore.DAT explorer.exe hidden32.exe iischace.dll libparse.exe navdb.dbx pirc.ini psexec.exe rconnect.conf rconnect.exe regkeyadd.bat regkeyadd.reg secure.bat start.bat str.vxd svchost32.exe v32driver.bat web.swf

and several files in winnt\web\printers\images\www:
mdx.dll moo.dll readme.htm shik.gif views.mdx webserv.mrc

Not all of these files are malicious - some are legitimate programs. The remote intruder interacts with the computer via IRC channels.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

Troj/Zcrew

Summary

Action

More Information