Skip navigation.


Found this in some spam. Apparently someone bulk emailed out the url:

The binary is an IRC controlled trojan.

Has an interesting XML blob in it as well, which when changed, makes a lot of AV software misdetect it:

WinRAR archiver.

MD5: 476d76d85d2bd05c705ed02a3e28fd5a
SHA1: c8ec8b15d413a8c0343c119eeddb1e84fe20b6ab

AntiVir Found Backdoor-Server/Zapchast.P backdoor
ArcaVir Found Trojan.Door.Mirc-based
Avast Found VBS:Malware
AVG Antivirus Found IRC/BackDoor.Flood
BitDefender Found Trojan.Zapchas.F, Trojan.Zapchas.BU (probable variant)
ClamAV Found nothing
Dr.Web Found IRC.Flood, Program.mIRC.603
F-Prot Antivirus Found BAT/Zapchast.S, REG/Zapchast.A
Fortinet Found IRC/Flood!bdr
Kaspersky Anti-Virus Found Backdoor.IRC.Zapchast, Backdoor.Win32.mIRC-based
NOD32 Found probably a variant of IRC/Cloner.AT , IRC/Cloner.AT (probable variant)
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found Backdoor.IRC.Zapchast

WinRAR archiver.

WinRAR archiver.

to be clear, i would add, that file postcards.gif.exe includes
inside a winrar part, that includes those files:

Extracting from aaa.rar

Creating postcards.gif
Extracting postcards.gif\aliases.ini
Extracting postcards.gif\control.ini
Creating postcards.gif\download
Extracting postcards.gif\fullname.txt
Extracting postcards.gif\ident.txt
Creating postcards.gif\logs
Extracting postcards.gif\mirc.ico
Extracting postcards.gif\mirc.ini
Extracting postcards.gif\nicks.txt
Extracting postcards.gif\remote.ini
Extracting postcards.gif\script.ini
Extracting postcards.gif\servers.ini
Creating postcards.gif\sounds
Extracting postcards.gif\sup.bat
Extracting postcards.gif\sup.reg
Extracting postcards.gif\svchost.exe
Extracting postcards.gif\users.ini
All OK

kaspersky detects svchost.exe as Backdoor.Win32.mIRC-based