Backdoor.Win32.Zonebac.D

22 October 2007 0 Comment

Backdoor.Win32.Zonebac.D is a Trojan horse that can reduce security settings on the infected system. Other payload of Backdoor.Win32.Zonebac.D is to allow a remote unauthorized access on victims PC by creating a backdoor in it. The Trojan will also modify security settings of Internet browser to accept command from a remote host.

Alias: Trojan.ZoneBac

Damage Level: Medium

Systems Affected: Windows 9x, 2000, XP, Windows Vista

Technical Details and Additional Information:

What can Backdoor.Win32.Zonebac.D do to infected system?
- Modify registry entries and add malicious web sites to Internet Explorer trusted sites.
- Trojan will check for presence of security-related programs.

Malicious Files Added by Backdoor.Win32.Zonebac.D
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Lexmark_X79-55 = \spoolsv.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Lexmark_X79-55 = \spoolsv.exe

Associated Windows Registry Entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run = “Backdoor.Win32.Zonebac.D.exe”

Backdoor.Win32.Zonebac.D – Removal

Removing Backdoor.Win32.Zonebac.D Manually:
1. If using Windows ME or XP, System Restore must be disabled to prevent the threat from restoring itself. [Windows XP System Restore]
2. Update the virus definitions.
3. Reboot Windows in SafeMode [how to]
4. Run a full system scan and clean/delete all infected file(s)
5. Delete/Modify any values added to the registry. [how to edit registry]
6. Exit registry editor and restart Windows.

Anti-virus Tools

Scan with Norton Power Eraser:
Norton Power Eraser is a virus removal tool created by Norton Antivirus to remove unfamiliar threats without using the traditional AV signatures. Download the tool and start scanning with Norton Power Eraser.

Scan with Portable Antivirus:
Most of the time, Trojan associated with a rogue program will disable Windows functionalities and prevent the compromised computer from executing any application including antivirus program locally installed. If this happens, you can try using a McAfee Portable Antivirus called Stinger. It can be downloaded for free.