McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Troj/Zasil-A (Sophos)

• Trojan.Zasil (Symantec)

• TrojanClicker.Win32.Zasil (AVP)

Characteristics

A dropper of this trojans is believed to have been SPAMmed to many users. This trojan connects to a geocities.com user's site to retrieve a URL. It then navigates to that URL, passing the infected user's IP address and the string "Second,email_zasil". The trojan copies itself to the WINDOWS (%WinDir%) directory as REGISTRY.EXE and creates a registry run key to load itself at startup:

Windows 9x/ME:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run "Registry Services" = C:\WINDOWS\REGISTRY.EXE

Windows NT/2000/XP:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Policies\Explorer\Run "0" = %windir%\registry.exe

An additional key is also created:

• HKEY_LOCAL_MACHINE\Software\Microsoft\DownloadManager

The trojan is dropped by a file, often named MINENEW.EXE.PIF or MINENEW.MPG.PIF. The dropper extracts a JPG file to the %Temp% folder and opens it. This image is of pornographic nature.

Symptoms

Presence of the file REGISTRY.EXE in the Windows directory (note this filename is not the same as REGEDIT.EXE) with an icon typically associated with the Registry Editor:

As the trojan uses a remote website, the effects of an infection may vary as the site is modified.

Method of Infection

This trojan connects to a remote website to retrieve "further instructions". At the time of analysis, the trojan simply retrieved another URL to access. It may store the contents of remote files retrieved in the Windows directory, such as winrtu32.exe.

Removal

All Windows Users:
Use current engine and DAT files for detection and removal.

Manual Removal Instructions

Delete the registry key(s) as mentioned above
Information on deleting registry keys

Restart the computer

Delete the files mentioned above

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Troj/Zasil-A (Sophos)

• Trojan.Zasil (Symantec)

• TrojanClicker.Win32.Zasil (AVP)

Characteristics

Characteristics -

A dropper of this trojans is believed to have been SPAMmed to many users. This trojan connects to a geocities.com user's site to retrieve a URL. It then navigates to that URL, passing the infected user's IP address and the string "Second,email_zasil". The trojan copies itself to the WINDOWS (%WinDir%) directory as REGISTRY.EXE and creates a registry run key to load itself at startup:

Windows 9x/ME:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run "Registry Services" = C:\WINDOWS\REGISTRY.EXE

Windows NT/2000/XP:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Policies\Explorer\Run "0" = %windir%\registry.exe

An additional key is also created:

• HKEY_LOCAL_MACHINE\Software\Microsoft\DownloadManager

The trojan is dropped by a file, often named MINENEW.EXE.PIF or MINENEW.MPG.PIF. The dropper extracts a JPG file to the %Temp% folder and opens it. This image is of pornographic nature.

Symptoms

Symptoms -

Presence of the file REGISTRY.EXE in the Windows directory (note this filename is not the same as REGEDIT.EXE) with an icon typically associated with the Registry Editor:

As the trojan uses a remote website, the effects of an infection may vary as the site is modified.

Method of Infection

Method of Infection -

This trojan connects to a remote website to retrieve "further instructions". At the time of analysis, the trojan simply retrieved another URL to access. It may store the contents of remote files retrieved in the Windows directory, such as winrtu32.exe.

Removal -

Removal -

All Windows Users:
Use current engine and DAT files for detection and removal.

Manual Removal Instructions

Delete the registry key(s) as mentioned above
Information on deleting registry keys

Restart the computer

Delete the files mentioned above

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A