high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 3 March 2005 20:52:00 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Bdoor-ZAR is a network worm with backdoor functionality for the Windows platform.
When first run, the worm copies itself to the system folder as cfg.exe and registers itself as a system service. W32/Bdoor-ZAR remains active whenever Windows is running.
The backdoor component accepts commands from remote users. W32/Bdoor-ZAR can be instructed to perform functions including:
perform filesystem functions (open, delete, execute)
create screen/webcam captures
log keypresses
read/write to the system registry
add/remove network shares
report available drives
play/record sounds (given availability of speakers and microphone)
W32/Bdoor-ZAR can be instructed to spread through networks.
As a result of registering as a service, the following registry entries are created:
HKLM\SYSTEM\CurrentControlSet\Services\cfg
Type
dword:00000010
HKLM\SYSTEM\CurrentControlSet\Services\cfg
Start
dword:00000002
HKLM\SYSTEM\CurrentControlSet\Services\cfg
ErrorControl
dword:00000000
HKLM\SYSTEM\CurrentControlSet\Services\cfg
ImagePath
<path to EXE> (may be encoded)
HKLM\SYSTEM\CurrentControlSet\Services\cfg
DisplayName
cfg
HKLM\SYSTEM\CurrentControlSet\Services\cfg
ObjectName
LocalSystem
HKLM\SYSTEM\CurrentControlSet\Services\cfg\Security
Security
<encoded data>
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_CFG
<Several entries>
|
