Backdoor

Backdoor:Win32/Zegost.CH (file analysis)

Malware Removal

The Backdoor:Win32/Zegost.CH is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
DOWNLOAD NOW
6-day free trial available.

What Backdoor:Win32/Zegost.CH virus can do?

  • Attempts to connect to a dead IP:Port (1 unique times)
  • Possible date expiration check, exits too soon after checking local time
  • Expresses interest in specific running processes
  • Drops a binary and executes it
  • Unconventionial binary language: Chinese (Simplified)
  • Unconventionial language used in binary resources: Chinese (Simplified)
  • Attempts to repeatedly call a single API many times in order to delay analysis time
  • Installs itself for autorun at Windows startup
  • Creates a copy of itself

How to determine Backdoor:Win32/Zegost.CH?



File Info:

crc32: F9C5B796
md5: 44238118d7071c8ba2a2ba7aac506737
name: dvwacc1.exe
sha1: 3452fa5d5930ee29a0e6bf365ad62a7e84596fcc
sha256: c5cce6130d179cb03aea383a80b329a165e64903ce55b59336cacaea96f13c04
sha512: d6a4df78511dbb944706236cc99bb759ddddf7be12f3583fa292f9a0681bf3da93eca6589955d836c2fd1cfc9bbcede3815488ed5448061b8e73f0a8a457ecd0
ssdeep: 3072:0PuFP9wPK9fHwkDygAs8sslc7T0qSz4ty:0QWCHwoQsI0T0
type: PE32 executable (GUI) Intel 80386, for MS Windows


Version Info:

LegalCopyright: java
InternalName: Copyright ? 2013
FileVersion: 7.0.110.21
CompanyName: Oracle Corporation
PrivateBuild: 
LegalTrademarks: 
Comments: 
ProductName: Java(TM) Platform SE 7 U11
SpecialBuild: 
ProductVersion: 7.0.110.21
FileDescription: Java(TM) Platform SE binary
OriginalFilename: java.exe
Translation: 0x0804 0x04b0

Backdoor:Win32/Zegost.CH also known as:

BkavW32.GenericSiscosB.Trojan
MicroWorld-eScanGen:Heur.Mint.Zard.30
FireEyeGeneric.mg.44238118d7071c8b
CAT-QuickHealBackdoor.Zegost.BZ4
Qihoo-360Backdoor.Win32.Agent.IF
ALYacGen:Heur.Mint.Zard.30
CylanceUnsafe
VIPRETrojan.Win32.Dtcontx.dba (v)
SangforMalware
CrowdStrikewin/malicious_confidence_100% (W)
BitDefenderGen:Heur.Mint.Zard.30
K7GWTrojan ( 005110421 )
K7AntiVirusTrojan ( 005110421 )
TrendMicroBKDR_ZEGOST.SM27
BitDefenderThetaGen:NN.ZexaF.34106.hq0@amXuBHkb
F-ProtW32/Siscos.B.gen!Eldorado
SymantecBackdoor.Trojan
ESET-NOD32Win32/Fusing.BB
BaiduWin32.Backdoor.Fusing.d
APEXMalicious
AvastWin32:Farfli-BL [Trj]
ClamAVWin.Trojan.Siscos-954
GDataWin32.Trojan.Fusing.A
KasperskyTrojan.Win32.Staser.boqk
AlibabaBackdoor:Win32/Farfli.d6daffec
NANO-AntivirusTrojan.Win32.Siscos.bxpajl
AegisLabTrojan.Win32.Siscos.lVJW
TencentTrojan.Win32.Siscos.a
Ad-AwareGen:Heur.Mint.Zard.30
EmsisoftGen:Heur.Mint.Zard.30 (B)
ComodoTrojWare.Win32.Siscos.PNZ@4yglp7
F-SecureTrojan.TR/Graftor.12288013
DrWebTrojan.KillProc.28974
ZillyaTrojan.Siscos.Win32.4185
Invinceaheuristic
McAfee-GW-EditionGenericRXBL-SG!44238118D707
Trapminemalicious.moderate.ml.score
CMCTrojan.Win32.Siscos!O
SophosTroj/Zegost-DM
IkarusTrojan.SuspectCRC
CyrenW32/Siscos.B.gen!Eldorado
JiangminPacked.Katusha.audv
WebrootW32.Malware.Gen
AviraTR/Graftor.12288013
MAXmalware (ai score=81)
Antiy-AVLTrojan/Win32.Siscos.pnz
Endgamemalicious (high confidence)
ArcabitTrojan.Mint.Zard.30
SUPERAntiSpywareTrojan.Agent/Gen-KillAV
AhnLab-V3Trojan/Win32.Siscos.R69357
ZoneAlarmTrojan.Win32.Staser.boqk
MicrosoftBackdoor:Win32/Zegost.CH
TotalDefenseWin32/Tnega.AfYbFe
Acronissuspicious
McAfeeGenericRXBL-SG!44238118D707
TACHYONTrojan/W32.Siscos.122880
VBA32BScope.Backdoor.Farfli
MalwarebytesBackdoor.Farfli
PandaTrj/Genetic.gen
TrendMicro-HouseCallBKDR_ZEGOST.SM27
RisingBackdoor.Zegost!8.177 (CLOUD)
YandexTrojan.Siscos!/CdExrnzQE0
eGambitUnsafe.AI_Score_99%
FortinetW32/Farfli.AIL!tr
AVGWin32:Farfli-BL [Trj]
Cybereasonmalicious.8d7071
Paloaltogeneric.ml
MaxSecureTrojan.Malware.9241209.susgen

How to remove Backdoor:Win32/Zegost.CH?

Backdoor:Win32/Zegost.CH removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

You may also like

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

View all posts

Leave a Comment