Virus:DR/Zapchast.AI
Date discovered:04/08/2008
Type:Dropper
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:722.407 Bytes
MD5 checksum:7824396444ea3c178cc677b6de9f49c8
IVDF version:7.00.05.209 - Monday, August 4, 2008

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Symantec: Backdoor.Trojan
   •  Mcafee: IRC/Flood.gen.dr
   •  Kaspersky: not-a-virus:Client-IRC.Win32.mIRC.601
   •  TrendMicro: Mal_Zap
   •  F-Secure: Backdoor.Win32.mIRC-based
   •  Sophos: Mal/Zapchas-C
   •  Panda: Bck/mIRCBased.BC
   •  Grisoft: IRC/BackDoor.Flood
   •  VirusBuster: Backdoor.MIRC-based.X
   •  Eset: IRC/Cloner.BI trojan
   •  Bitdefender: Trojan.Mirchack.A


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops files
   • Drops malicious files

 Files  It creates the following directories:
   • %recycle bin%\S-1-5-21-606747145-1085031214-725345543-500\
   • %recycle bin%\S-1-5-21-606747145-1085031214-725345543-500\download



The following files are created:

– Non malicious files:
   • %recycle
      bin%\S-1-5-21-606747145-1085031214-725345543-500\aliases.ini;
      %recycle
      bin%\S-1-5-21-606747145-1085031214-725345543-500\control.ini;
      %recycle
      bin%\S-1-5-21-606747145-1085031214-725345543-500\Desktop.ini;
      %recycle
      bin%\S-1-5-21-606747145-1085031214-725345543-500\fullname.txt;
      %recycle
      bin%\S-1-5-21-606747145-1085031214-725345543-500\identd.txt;
      %recycle
      bin%\S-1-5-21-606747145-1085031214-725345543-500\instsrv.exe;
      %recycle bin%\S-1-5-21-606747145-1085031214-725345543-500\mirc.ico;
      %recycle bin%\S-1-5-21-606747145-1085031214-725345543-500\mirc.ini;
      %recycle
      bin%\S-1-5-21-606747145-1085031214-725345543-500\popups.txt;
      %recycle
      bin%\S-1-5-21-606747145-1085031214-725345543-500\remote.ini;
      %recycle
      bin%\S-1-5-21-606747145-1085031214-725345543-500\servers.ini;
      %recycle
      bin%\S-1-5-21-606747145-1085031214-725345543-500\svchost.exe;
      %recycle bin%\S-1-5-21-606747145-1085031214-725345543-500\users.ini

%recycle bin%\S-1-5-21-606747145-1085031214-725345543-500\a.reg Further investigation pointed out that this file is malware, too. Detected as: IRC/Cloner.BI

%recycle bin%\S-1-5-21-606747145-1085031214-725345543-500\csrss.exe Detected as: BDS/mIRC-593262.A

%recycle bin%\S-1-5-21-606747145-1085031214-725345543-500\script.ini Detected as: IRC/Zapchast.AI

%recycle bin%\S-1-5-21-606747145-1085031214-725345543-500\sup.exe Furthermore it gets executed after it was fully created. Detected as: DR/Runner.B

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Thomas Wegele on Monday, August 11, 2008
Description updated by Philipp Wolf on Monday, August 11, 2008

Back . . . .