Wave of Zortob Backdoor Trojan discovered in the wild

October 18, 2013

The Dell SonicWall Threats Research team have received reports of a recent wave of the Zortob Trojan in the wild. Trojans of this nature may have no particular objective upon infection but give an attacker a back-door into the infected systems through which any other malware can be installed. This Trojan is reported to arrive as an email attachment masquerading as a voicemail message.

Infection cycle:

The Trojan uses the following icon to pose as a voicemail message:

The Trojan adds the following files to the filesystem:

  • %APPDATA%kqljentg.exe [Detected as GAV: Zortob.B_47 (Trojan)]
  • {run location}VoiceMail_Round_Rock_(512)4584934.txt

Once it is run it will delete itself and create VoiceMail_Round_Rock_(512)4584934.txt in the same location:

It will then open notepad.exe to display the text file:

The following IP addresses for C&C servers were discovered in the binary:


The following encrypted communication was observed between the Trojan and a remote C&C server:

During analysis we discovered the unencrypted form of the data sent above:

The response from the C&C server suggests that the Trojan remain idle. We also discovered various other commands in the Trojan binary:

  • idl
  • run
  • crc
  • rem
  • rdl
  • red
  • upd

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Zortob.B_47 (Trojan)