Tuesday, November 18, 2008

CodeZero BHO

Removing CodeZero
Categories: BHO
BHO (Browser Helper Object) Trojan.
The BHO waits for the user to post personal information to a monitored website.
As this information is entered by the user, it is captured by the BHO and sent back to the attacker.
The method of network transport used by the attacker makes this Trojan unique.
Typically, keyloggers of this type will send the stolen information back to the attacker via email
or HTTP POST, which can appear suspicious.
Instead, this Trojan encodes the data with a simple XOR algorithm before placing it into
the data section of an ICMP ping packet." explained the company.
Visible Symptoms:
Files in system folders:
[%PROGRAMS%]\codezero\codezero.lnk
[%PROGRAM_FILES%]\codezero\bpt.ini
[%PROGRAM_FILES%]\codezero\czbho.dll
[%PROGRAM_FILES%]\codezero\czoptima.exe
[%PROGRAM_FILES%]\codezero\cztray.exe
[%PROGRAM_FILES%]\codezero\czupdate.exe
[%PROGRAM_FILES%]\codezero\image\0.jpg
[%PROGRAM_FILES%]\codezero\image\1.jpg
[%PROGRAM_FILES%]\codezero\image\2.jpg
[%PROGRAM_FILES%]\codezero\image\2_1(1).jpg
[%PROGRAM_FILES%]\codezero\image\2_1.jpg
[%PROGRAM_FILES%]\codezero\image\2_2.jpg
[%PROGRAM_FILES%]\codezero\image\3.jpg
[%PROGRAM_FILES%]\codezero\image\4.jpg
[%PROGRAM_FILES%]\codezero\image\5.jpg
[%PROGRAM_FILES%]\codezero\image\background.jpg
[%PROGRAM_FILES%]\codezero\image\backup.ini
[%PROGRAM_FILES%]\codezero\image\bpt.ini
[%PROGRAM_FILES%]\codezero\image\bpt_h7.ini
[%PROGRAM_FILES%]\codezero\image\bpt_k3.ini
[%PROGRAM_FILES%]\codezero\image\btn.jpg
[%PROGRAM_FILES%]\codezero\image\btn_close.jpg
[%PROGRAM_FILES%]\codezero\image\buttoncontrol.jpg
[%PROGRAM_FILES%]\codezero\image\codezero.ico
[%PROGRAM_FILES%]\codezero\image\codezero.jpg
[%PROGRAM_FILES%]\codezero\image\codezero_main.jpg
[%PROGRAM_FILES%]\codezero\image\codezero_update.jpg
[%PROGRAM_FILES%]\codezero\image\control.jpg
[%PROGRAM_FILES%]\codezero\image\czero_16.ico
[%PROGRAM_FILES%]\codezero\image\diskcontrol.jpg
[%PROGRAM_FILES%]\codezero\image\drive.ini
[%PROGRAM_FILES%]\codezero\image\drive.jpg
[%PROGRAM_FILES%]\codezero\image\findreg.ini
[%PROGRAM_FILES%]\codezero\image\findreg.jpg
[%PROGRAM_FILES%]\codezero\image\hate.ini
[%PROGRAM_FILES%]\codezero\image\info.ini
[%PROGRAM_FILES%]\codezero\image\mad.ini
[%PROGRAM_FILES%]\codezero\image\madorreg.jpg
[%PROGRAM_FILES%]\codezero\image\main.ini
[%PROGRAM_FILES%]\codezero\image\offline.jpg
[%PROGRAM_FILES%]\codezero\image\onok.jpg
[%PROGRAM_FILES%]\codezero\image\optima.ini
[%PROGRAM_FILES%]\codezero\image\page.ini
[%PROGRAM_FILES%]\codezero\image\pcxx.ini
[%PROGRAM_FILES%]\codezero\image\person.jpg
[%PROGRAM_FILES%]\codezero\image\personcontrol.jpg
[%PROGRAM_FILES%]\codezero\image\popup_fixed.bmp
[%PROGRAM_FILES%]\codezero\image\popup_test.bmp
[%PROGRAM_FILES%]\codezero\image\popup_test2.bmp
[%PROGRAM_FILES%]\codezero\image\recdelcontrol.jpg
[%PROGRAM_FILES%]\codezero\image\record.ini
[%PROGRAM_FILES%]\codezero\image\recordcontrol.jpg
[%PROGRAM_FILES%]\codezero\image\recorddel.jpg
[%PROGRAM_FILES%]\codezero\image\regdel.ini
[%PROGRAM_FILES%]\codezero\image\regdel.jpg
[%PROGRAM_FILES%]\codezero\image\searchreg.ini
[%PROGRAM_FILES%]\codezero\image\searchreg.jpg
[%PROGRAM_FILES%]\codezero\image\skin.ini
[%PROGRAM_FILES%]\codezero\image\start.jpg
[%PROGRAM_FILES%]\codezero\image\tab.jpg
[%PROGRAM_FILES%]\codezero\image\topmenu.jpg
[%PROGRAM_FILES%]\codezero\image\update.ini
[%PROGRAM_FILES%]\codezero\image\update.jpg
[%PROGRAM_FILES%]\codezero\mfc42.dll
[%PROGRAM_FILES%]\codezero\uncz.exe
[%PROGRAM_FILES%]\codezero\uninstall.exe
[%PROGRAM_FILES%]\codezero\update\appver.log
[%PROGRAM_FILES%]\codezero\update\badcode.log
[%PROGRAM_FILES%]\codezero\update\badsite.log
[%PROGRAM_FILES%]\codezero\update\badsiteupdate.dat
[%PROGRAM_FILES%]\codezero\update\badsitever.log
[%PROGRAM_FILES%]\codezero\update\obfl.dat
[%PROGRAM_FILES%]\codezero\update\obrl.dat
[%PROGRAMS%]\codezero\codezero.lnk
[%PROGRAM_FILES%]\codezero\bpt.ini
[%PROGRAM_FILES%]\codezero\czbho.dll
[%PROGRAM_FILES%]\codezero\czoptima.exe
[%PROGRAM_FILES%]\codezero\cztray.exe
[%PROGRAM_FILES%]\codezero\czupdate.exe
[%PROGRAM_FILES%]\codezero\image\0.jpg
[%PROGRAM_FILES%]\codezero\image\1.jpg
[%PROGRAM_FILES%]\codezero\image\2.jpg
[%PROGRAM_FILES%]\codezero\image\2_1(1).jpg
[%PROGRAM_FILES%]\codezero\image\2_1.jpg
[%PROGRAM_FILES%]\codezero\image\2_2.jpg
[%PROGRAM_FILES%]\codezero\image\3.jpg
[%PROGRAM_FILES%]\codezero\image\4.jpg
[%PROGRAM_FILES%]\codezero\image\5.jpg
[%PROGRAM_FILES%]\codezero\image\background.jpg
[%PROGRAM_FILES%]\codezero\image\backup.ini
[%PROGRAM_FILES%]\codezero\image\bpt.ini
[%PROGRAM_FILES%]\codezero\image\bpt_h7.ini
[%PROGRAM_FILES%]\codezero\image\bpt_k3.ini
[%PROGRAM_FILES%]\codezero\image\btn.jpg
[%PROGRAM_FILES%]\codezero\image\btn_close.jpg
[%PROGRAM_FILES%]\codezero\image\buttoncontrol.jpg
[%PROGRAM_FILES%]\codezero\image\codezero.ico
[%PROGRAM_FILES%]\codezero\image\codezero.jpg
[%PROGRAM_FILES%]\codezero\image\codezero_main.jpg
[%PROGRAM_FILES%]\codezero\image\codezero_update.jpg
[%PROGRAM_FILES%]\codezero\image\control.jpg
[%PROGRAM_FILES%]\codezero\image\czero_16.ico
[%PROGRAM_FILES%]\codezero\image\diskcontrol.jpg
[%PROGRAM_FILES%]\codezero\image\drive.ini
[%PROGRAM_FILES%]\codezero\image\drive.jpg
[%PROGRAM_FILES%]\codezero\image\findreg.ini
[%PROGRAM_FILES%]\codezero\image\findreg.jpg
[%PROGRAM_FILES%]\codezero\image\hate.ini
[%PROGRAM_FILES%]\codezero\image\info.ini
[%PROGRAM_FILES%]\codezero\image\mad.ini
[%PROGRAM_FILES%]\codezero\image\madorreg.jpg
[%PROGRAM_FILES%]\codezero\image\main.ini
[%PROGRAM_FILES%]\codezero\image\offline.jpg
[%PROGRAM_FILES%]\codezero\image\onok.jpg
[%PROGRAM_FILES%]\codezero\image\optima.ini
[%PROGRAM_FILES%]\codezero\image\page.ini
[%PROGRAM_FILES%]\codezero\image\pcxx.ini
[%PROGRAM_FILES%]\codezero\image\person.jpg
[%PROGRAM_FILES%]\codezero\image\personcontrol.jpg
[%PROGRAM_FILES%]\codezero\image\popup_fixed.bmp
[%PROGRAM_FILES%]\codezero\image\popup_test.bmp
[%PROGRAM_FILES%]\codezero\image\popup_test2.bmp
[%PROGRAM_FILES%]\codezero\image\recdelcontrol.jpg
[%PROGRAM_FILES%]\codezero\image\record.ini
[%PROGRAM_FILES%]\codezero\image\recordcontrol.jpg
[%PROGRAM_FILES%]\codezero\image\recorddel.jpg
[%PROGRAM_FILES%]\codezero\image\regdel.ini
[%PROGRAM_FILES%]\codezero\image\regdel.jpg
[%PROGRAM_FILES%]\codezero\image\searchreg.ini
[%PROGRAM_FILES%]\codezero\image\searchreg.jpg
[%PROGRAM_FILES%]\codezero\image\skin.ini
[%PROGRAM_FILES%]\codezero\image\start.jpg
[%PROGRAM_FILES%]\codezero\image\tab.jpg
[%PROGRAM_FILES%]\codezero\image\topmenu.jpg
[%PROGRAM_FILES%]\codezero\image\update.ini
[%PROGRAM_FILES%]\codezero\image\update.jpg
[%PROGRAM_FILES%]\codezero\mfc42.dll
[%PROGRAM_FILES%]\codezero\uncz.exe
[%PROGRAM_FILES%]\codezero\uninstall.exe
[%PROGRAM_FILES%]\codezero\update\appver.log
[%PROGRAM_FILES%]\codezero\update\badcode.log
[%PROGRAM_FILES%]\codezero\update\badsite.log
[%PROGRAM_FILES%]\codezero\update\badsiteupdate.dat
[%PROGRAM_FILES%]\codezero\update\badsitever.log
[%PROGRAM_FILES%]\codezero\update\obfl.dat
[%PROGRAM_FILES%]\codezero\update\obrl.dat

How to detect CodeZero:

Files:
[%PROGRAMS%]\codezero\codezero.lnk
[%PROGRAM_FILES%]\codezero\bpt.ini
[%PROGRAM_FILES%]\codezero\czbho.dll
[%PROGRAM_FILES%]\codezero\czoptima.exe
[%PROGRAM_FILES%]\codezero\cztray.exe
[%PROGRAM_FILES%]\codezero\czupdate.exe
[%PROGRAM_FILES%]\codezero\image\0.jpg
[%PROGRAM_FILES%]\codezero\image\1.jpg
[%PROGRAM_FILES%]\codezero\image\2.jpg
[%PROGRAM_FILES%]\codezero\image\2_1(1).jpg
[%PROGRAM_FILES%]\codezero\image\2_1.jpg
[%PROGRAM_FILES%]\codezero\image\2_2.jpg
[%PROGRAM_FILES%]\codezero\image\3.jpg
[%PROGRAM_FILES%]\codezero\image\4.jpg
[%PROGRAM_FILES%]\codezero\image\5.jpg
[%PROGRAM_FILES%]\codezero\image\background.jpg
[%PROGRAM_FILES%]\codezero\image\backup.ini
[%PROGRAM_FILES%]\codezero\image\bpt.ini
[%PROGRAM_FILES%]\codezero\image\bpt_h7.ini
[%PROGRAM_FILES%]\codezero\image\bpt_k3.ini
[%PROGRAM_FILES%]\codezero\image\btn.jpg
[%PROGRAM_FILES%]\codezero\image\btn_close.jpg
[%PROGRAM_FILES%]\codezero\image\buttoncontrol.jpg
[%PROGRAM_FILES%]\codezero\image\codezero.ico
[%PROGRAM_FILES%]\codezero\image\codezero.jpg
[%PROGRAM_FILES%]\codezero\image\codezero_main.jpg
[%PROGRAM_FILES%]\codezero\image\codezero_update.jpg
[%PROGRAM_FILES%]\codezero\image\control.jpg
[%PROGRAM_FILES%]\codezero\image\czero_16.ico
[%PROGRAM_FILES%]\codezero\image\diskcontrol.jpg
[%PROGRAM_FILES%]\codezero\image\drive.ini
[%PROGRAM_FILES%]\codezero\image\drive.jpg
[%PROGRAM_FILES%]\codezero\image\findreg.ini
[%PROGRAM_FILES%]\codezero\image\findreg.jpg
[%PROGRAM_FILES%]\codezero\image\hate.ini
[%PROGRAM_FILES%]\codezero\image\info.ini
[%PROGRAM_FILES%]\codezero\image\mad.ini
[%PROGRAM_FILES%]\codezero\image\madorreg.jpg
[%PROGRAM_FILES%]\codezero\image\main.ini
[%PROGRAM_FILES%]\codezero\image\offline.jpg
[%PROGRAM_FILES%]\codezero\image\onok.jpg
[%PROGRAM_FILES%]\codezero\image\optima.ini
[%PROGRAM_FILES%]\codezero\image\page.ini
[%PROGRAM_FILES%]\codezero\image\pcxx.ini
[%PROGRAM_FILES%]\codezero\image\person.jpg
[%PROGRAM_FILES%]\codezero\image\personcontrol.jpg
[%PROGRAM_FILES%]\codezero\image\popup_fixed.bmp
[%PROGRAM_FILES%]\codezero\image\popup_test.bmp
[%PROGRAM_FILES%]\codezero\image\popup_test2.bmp
[%PROGRAM_FILES%]\codezero\image\recdelcontrol.jpg
[%PROGRAM_FILES%]\codezero\image\record.ini
[%PROGRAM_FILES%]\codezero\image\recordcontrol.jpg
[%PROGRAM_FILES%]\codezero\image\recorddel.jpg
[%PROGRAM_FILES%]\codezero\image\regdel.ini
[%PROGRAM_FILES%]\codezero\image\regdel.jpg
[%PROGRAM_FILES%]\codezero\image\searchreg.ini
[%PROGRAM_FILES%]\codezero\image\searchreg.jpg
[%PROGRAM_FILES%]\codezero\image\skin.ini
[%PROGRAM_FILES%]\codezero\image\start.jpg
[%PROGRAM_FILES%]\codezero\image\tab.jpg
[%PROGRAM_FILES%]\codezero\image\topmenu.jpg
[%PROGRAM_FILES%]\codezero\image\update.ini
[%PROGRAM_FILES%]\codezero\image\update.jpg
[%PROGRAM_FILES%]\codezero\mfc42.dll
[%PROGRAM_FILES%]\codezero\uncz.exe
[%PROGRAM_FILES%]\codezero\uninstall.exe
[%PROGRAM_FILES%]\codezero\update\appver.log
[%PROGRAM_FILES%]\codezero\update\badcode.log
[%PROGRAM_FILES%]\codezero\update\badsite.log
[%PROGRAM_FILES%]\codezero\update\badsiteupdate.dat
[%PROGRAM_FILES%]\codezero\update\badsitever.log
[%PROGRAM_FILES%]\codezero\update\obfl.dat
[%PROGRAM_FILES%]\codezero\update\obrl.dat
[%PROGRAMS%]\codezero\codezero.lnk
[%PROGRAM_FILES%]\codezero\bpt.ini
[%PROGRAM_FILES%]\codezero\czbho.dll
[%PROGRAM_FILES%]\codezero\czoptima.exe
[%PROGRAM_FILES%]\codezero\cztray.exe
[%PROGRAM_FILES%]\codezero\czupdate.exe
[%PROGRAM_FILES%]\codezero\image\0.jpg
[%PROGRAM_FILES%]\codezero\image\1.jpg
[%PROGRAM_FILES%]\codezero\image\2.jpg
[%PROGRAM_FILES%]\codezero\image\2_1(1).jpg
[%PROGRAM_FILES%]\codezero\image\2_1.jpg
[%PROGRAM_FILES%]\codezero\image\2_2.jpg
[%PROGRAM_FILES%]\codezero\image\3.jpg
[%PROGRAM_FILES%]\codezero\image\4.jpg
[%PROGRAM_FILES%]\codezero\image\5.jpg
[%PROGRAM_FILES%]\codezero\image\background.jpg
[%PROGRAM_FILES%]\codezero\image\backup.ini
[%PROGRAM_FILES%]\codezero\image\bpt.ini
[%PROGRAM_FILES%]\codezero\image\bpt_h7.ini
[%PROGRAM_FILES%]\codezero\image\bpt_k3.ini
[%PROGRAM_FILES%]\codezero\image\btn.jpg
[%PROGRAM_FILES%]\codezero\image\btn_close.jpg
[%PROGRAM_FILES%]\codezero\image\buttoncontrol.jpg
[%PROGRAM_FILES%]\codezero\image\codezero.ico
[%PROGRAM_FILES%]\codezero\image\codezero.jpg
[%PROGRAM_FILES%]\codezero\image\codezero_main.jpg
[%PROGRAM_FILES%]\codezero\image\codezero_update.jpg
[%PROGRAM_FILES%]\codezero\image\control.jpg
[%PROGRAM_FILES%]\codezero\image\czero_16.ico
[%PROGRAM_FILES%]\codezero\image\diskcontrol.jpg
[%PROGRAM_FILES%]\codezero\image\drive.ini
[%PROGRAM_FILES%]\codezero\image\drive.jpg
[%PROGRAM_FILES%]\codezero\image\findreg.ini
[%PROGRAM_FILES%]\codezero\image\findreg.jpg
[%PROGRAM_FILES%]\codezero\image\hate.ini
[%PROGRAM_FILES%]\codezero\image\info.ini
[%PROGRAM_FILES%]\codezero\image\mad.ini
[%PROGRAM_FILES%]\codezero\image\madorreg.jpg
[%PROGRAM_FILES%]\codezero\image\main.ini
[%PROGRAM_FILES%]\codezero\image\offline.jpg
[%PROGRAM_FILES%]\codezero\image\onok.jpg
[%PROGRAM_FILES%]\codezero\image\optima.ini
[%PROGRAM_FILES%]\codezero\image\page.ini
[%PROGRAM_FILES%]\codezero\image\pcxx.ini
[%PROGRAM_FILES%]\codezero\image\person.jpg
[%PROGRAM_FILES%]\codezero\image\personcontrol.jpg
[%PROGRAM_FILES%]\codezero\image\popup_fixed.bmp
[%PROGRAM_FILES%]\codezero\image\popup_test.bmp
[%PROGRAM_FILES%]\codezero\image\popup_test2.bmp
[%PROGRAM_FILES%]\codezero\image\recdelcontrol.jpg
[%PROGRAM_FILES%]\codezero\image\record.ini
[%PROGRAM_FILES%]\codezero\image\recordcontrol.jpg
[%PROGRAM_FILES%]\codezero\image\recorddel.jpg
[%PROGRAM_FILES%]\codezero\image\regdel.ini
[%PROGRAM_FILES%]\codezero\image\regdel.jpg
[%PROGRAM_FILES%]\codezero\image\searchreg.ini
[%PROGRAM_FILES%]\codezero\image\searchreg.jpg
[%PROGRAM_FILES%]\codezero\image\skin.ini
[%PROGRAM_FILES%]\codezero\image\start.jpg
[%PROGRAM_FILES%]\codezero\image\tab.jpg
[%PROGRAM_FILES%]\codezero\image\topmenu.jpg
[%PROGRAM_FILES%]\codezero\image\update.ini
[%PROGRAM_FILES%]\codezero\image\update.jpg
[%PROGRAM_FILES%]\codezero\mfc42.dll
[%PROGRAM_FILES%]\codezero\uncz.exe
[%PROGRAM_FILES%]\codezero\uninstall.exe
[%PROGRAM_FILES%]\codezero\update\appver.log
[%PROGRAM_FILES%]\codezero\update\badcode.log
[%PROGRAM_FILES%]\codezero\update\badsite.log
[%PROGRAM_FILES%]\codezero\update\badsiteupdate.dat
[%PROGRAM_FILES%]\codezero\update\badsitever.log
[%PROGRAM_FILES%]\codezero\update\obfl.dat
[%PROGRAM_FILES%]\codezero\update\obrl.dat

Registry Values:
HKEY_LOCAL_MACHINE\software\codezero
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\codezero
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\codezero
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\codezero
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\codezero

Removing CodeZero:

You can download trial version of "Exterminate-It" antivirus software here, to check your computer instantly.

Or buy it to remove ALL viruses from your computer.

Also Be Aware of the Following Threats:
Removing CWS.Feads Trojan
Dipti Backdoor Removal instruction
DDY Trojan Symptoms
TrafficJam Adware Cleaner

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)