aka "Secure Connection Test"

Written in Visual C++

Released in april 2002

"Backdoor.Zenmaster retrieves connection details by enumerating RAS connections.
The data that the Trojan obtains is used to authenticate its access to the remote access server.
The Trojan then delivers the retrieved information to a Web site.
Also, the data may be used to enumerate and terminate running processes."
(Symantec)



Server:
C:\WINDOWS\SYSTEM\WINFILES.EXE 

size: 20 KB

startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "HKDevice" 

added:
c:\WINDOWS\SYSTEM\K_File.exe