When the program is first launched, it runs some checks to see whether it
has already been installed, and if not it installs itself. This is done by calling
GetModuleFileName to obtain the primary executable’s file name, and
checking whether the system’s SYSTEM32directory name is part of the path.
If the program has not yet been installed, it proceeds to copy itself to the SYS-
TEM32 directory under the name ZoneLockup.exe, launches that exe-
cutable, and terminates itself by calling ExitProcess.
The new instance of the process is obviously going to run this exact same
code, except this time the SYSTEM32 check will find that the program is
already running from SYSTEM32 and will wind up running the code at
00402736. This sequence checks whether this is the first time that the pro-
gram is launched from its permanent habitat. This is done by checking a spe-
cial flag qwerset in the command-line parameters that also includes the full
path and name of the original Trojan executable that was launched (This is
going to be something like Webcam Shots.scr). The program needs this
information so that it can delete this file—there is no reason to keep the origi-
nal executable in place after the ZoneLockup.exeis created and launched.
If you’re wondering why this file name was passed into the new instance
instead of just deleting it in the previous instance, there is a simple answer: It
wouldn’t have been possible to delete the executable while the program was
still running, because Windows locks executable files while they are loaded
into memory. The program had to launch a new instance, terminate the first
one, and delete the original file from this new instance.
The function proceeds to create a mutex called botsmfdutpex, whatever
that means. The purpose of this mutex is to make sure no other instances of the
program are already running; the program terminates if the mutex already
exists. This mechanism ensures that the program doesn’t try to infect the same
host twice.Initializing Communications
The next part of this function is a bit too long to print here, but it’s easily read-
able: It collects several bits of information regarding the host, including the
exact version of the operating system, and the currently logged-on user. This is
followed by what is essentially the program’s main loop, which is printed in
Listing 8.4.00402939 /PUSH 0
0040293B |LEA EAX,DWORD PTR SS:[EBP-4]
0040293E |PUSH EAX
0040293F |CALL <JMP.&WININET.InternetGetConnectedState>
00402944 |OR EAX,EAXListing 8.4 The Backdoor program’s primary network connection check loop.294 Chapter 8