deletes the executable. You can probably guess that this is not an entirely triv-
ial task—an executable program file cannot be deleted while the program is
running. In order to work around this problem, the program must generate a
“self-destruct” batch file, which deletes the program’s executable after the
main program exits. This is done in a little function at 00401AA0, which gen-
erates the following batch file, called “rm.bat”. The program runs this batch
file and quits. Let’s take a quick look at this batch file.@echo off
:start
if not exist “C:\WINNT\SYSTEM32\ZoneLockup.exe” goto done
del “C:\WINNT\SYSTEM32\ZoneLockup.exe”
goto start
:done
del rm.batThis batch file loops through code that attempts to delete the main program
executable. The loop is only terminated once the executable is actually
gone. That’s because the batch file is going to start running while the
ZoneLockup.exeexecutable is still running. The batch file must wait until
ZoneLockup.exeis no longer running so that it can be deleted.The Backdoor.Hacarmy.D: A Command Reference
Having gathered all of this information, I realized that it would be a waste to
not properly summarize it. This is an interesting program that reveals much
about how modern-day malware works. The following table provides a listing
of the supported commands I was able to find in the program along with their
descriptions.Table 8.1 List of Supported Commands in the Trojan/Backdoor.Hacarmy.D Program.
COMMAND DESCRIPTION ARGUMENTS
!?dontuseme Instructs the program to
self-destruct by removing
its Autorunregistry entry
and deleting its executable.
!socks4 Initializes a SOCKS4 server Port number to open.
thread on the specified port.
This essentially turns the
infected system into a
proxy server.
!threads Lists the currently active
server threads.304 Chapter 8