Name: AMBUSH v1.0
Keys: value added
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"ZKA"
Type:
REG_SZ
Data:
Zcn32.exe
Version: 1.0
Type: remote administration
Port/s used: the server runs
on port 10666 UDP
Files:
c:\WINDOWS\Zcn32.exe Size: 45,056 bytes,
c:\WINDOWS\TEMP\~DF7578.TMP Size:
1,536 bytes
Modifies: none
Aliases:
none
Behaviour: Server runs hidden from
ctrl-alt-del but does not melt (the icon doesn’t vanish once executed)
Removal: Open up regedit (click start, run, type
regedit and hit ok)
And follow this path
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Delete the "ZKA" key and then reboot.
When windows restarts then
delete the following file:
c:\WINDOWS\Zcn32.exe Size: 45,056 bytes
Special: this trojan uses udp as its communication
protocol, this is not a common trojan protocol.
Author: ZKA
Notes: This trojan looked and
performed basically similar to back orifice trojan, the fact that it used udp
as well leads me to believe it was modelled after BO. When I tested the trojan
it didn’t actually work, the server infected, but the trojan client was not
able to control the server. Your average trojan using newbie would have no clue
as to how to use this program, as it isn’t very explanatory (eg like Subseven
etc).