Analysis by: Jasen Sumalapao
ALIASES:

PWS:Win32/Zbot (Microsoft), Trojan-Spy.Win32.Zbot.edhx (Kaspersky), Trojan.Gen (Symantec), PWS-Zbot.gen.afv (NAI), Mal/Generic-L (Sophos), Trojan.Win32.Generic!BT (Sunbelt), TR/Crypt.XPACK.Gen7 (Antivir), W32/Zbot.FT.gen!Eldorado (Authentium), Gen:Variant.Injector.23 (Bitdefender) , W32/Krypt.AAOD!tr (Fortinet), W32/Zbot.FT.gen!Eldorado (generic, not disinfectable) (Fprot), Trojan-Spy.Win32.Zbot (Ikarus), Win32/Spy.Zbot.AAO trojan (NOD32), TrojanSpy.Zbot.edhx (VBA32)

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 REPORTED INFECTION:
 SYSTEM IMPACT RATING:
 INFORMATION EXPOSURE:

  • Threat Type: Spyware

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It creates folders where it drops its files. The dropped file is injected in all running processes.

It modifies the Internet Explorer Zone Settings.

  TECHNICAL DETAILS

File Size: 153,088 bytes
File Type: EXE
Initial Samples Received Date: 14 Aug 2012

Arrival Details

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This spyware drops the following component file(s):

  • %User Profile%\Application Data\{random folder 1}\{random filename}.exe - detected as TSPY_ZBOT.KKF
  • %User Profile%\Application Data\{random folder 2}\{random filename and extension}
  • %User Profile%\Application Data\{random folder 3}\{random filename and extension}

(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

It creates the following folders:

  • %User Profile%\Application Data\{random folder 1}
  • %User Profile%\Application Data\{random folder 2}
  • %User Profile%\Application Data\{random folder 3}

(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

The dropped file is injected in all running processes.

Autostart Technique

This spyware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random characters} = "%User Profile%\Application Data\{random folder 1}\{random file name}.exe"

Web Browser Home Page and Search Page Modification

This spyware modifies the Internet Explorer Zone Settings.

Download Routine

This spyware connects to the following URL(s) to download its component file(s):

  • {BLOCKED}navole.ru