Backdoor.Zix

Discussion in 'malware problems & news' started by Randy_Bell, Jan 21, 2003.

Thread Status:
Not open for further replies.
  1. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    Symantec Security Response - Backdoor.Zix

    Backdoor.Zix is a backdoor Trojan that allows a hacker to run arbitrary commands on the infected computer. The Trojan sends information an email message from the infected computer to a specific email address. It also downloads files from an email account and then executes them on the computer.

    Infection Length: 90,112

    technical details

    When executed, the Trojan does the following:


    • 1. It copies itself to

      %System%\zy6server.exe

      2. It adds the value

      iez

      to the registry key

      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

      3. It attempts to register itself as a service.

      4. It sends system information to an email address at 163.com through the mail server smtp.163.com.

      5. It downloads email messages with encoded information from the POP server at pop.163.com, which instructs the computer to perform arbitrary commands.

    removal instructions

    These instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.


    • 1. Update the virus definitions.
      2. Run a full system scan, and delete all the files that are detected as Backdoor.Zix.
      3. Delete the value

      iez

      from the registry key

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    Deleting the value from the registry

    CAUTION: Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document How to make a backup of the Windows registry for instructions.


    • 1. Click Start, then click Run. (The Run dialog box appears.)
      2. Type regedit, then click OK. (The Registry Editor opens.)
      3. Navigate to the key:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

      4. In the right pane, delete the value

      iez

      5. Exit the Registry Editor.
     
Thread Status:
Not open for further replies.