Analysis by: Jasen Sumalapao

ALIASES:

PWS:Win32/Zbot (Microsoft), Trojan-Spy.Win32.Zbot.ebwa (Kaspersky), Infostealer (Symantec), PWS-Zbot.gen.agr (NAI), Troj/Agent-WVA (Sophos), Trojan.Win32.Generic!BT (Sunbelt), TR/Spy.ZBot.ebwa.1 (Antivir), W32/Zbot.FT.gen!Eldorado (Authentium), Gen:Variant.Graftor.36069 (Bitdefender), W32/Krypt.AAOD!tr (Fortinet), W32/Zbot.FT.gen!Eldorado (generic, not disinfectable) (Fprot), Trojan-Spy.Win32.Zbot (Ikarus), Win32/Spy.Zbot.AAO trojan (NOD32), Generic (Panda), TrojanSpy.Zbot.ebwa (VBA32)

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 REPORTED INFECTION:
 SYSTEM IMPACT RATING:
 INFORMATION EXPOSURE:

  • Threat Type: Spyware

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It creates folders where it drops its files.

It modifies the Internet Explorer Zone Settings.

  TECHNICAL DETAILS

File Size: 150,016 bytes
File Type: EXE
Initial Samples Received Date: 14 Aug 2012

Arrival Details

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This spyware drops the following component file(s):

  • %User Profile%\Application Data\{random folder 1}\{random filename}.exe - detected as TSPY_ZBOT.KKJ
  • %User Profile%\Application Data\{random folder 2}\{random filename and extension}
  • %User Profile%\Application Data\{random folder 3}\{random filename and extension}

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

It creates the following folders:

  • %User Profile%\Application Data\{random folder 1}
  • %User Profile%\Application Data\{random folder 2}
  • %User Profile%\Application Data\{random folder 3}

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

Autostart Technique

This spyware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random characters} = "%User Profile%\Application Data\{random folder 1}\{random file name}.exe"

Other System Modifications

This spyware creates the following registry entry(ies) to bypass Windows Firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%Windows%\explorer.exe = "%Windows%\explorer.exe:*:Enabled:Windows Explorer"

Web Browser Home Page and Search Page Modification

This spyware modifies the Internet Explorer Zone Settings.

Download Routine

This spyware connects to the following URL(s) to download its component file(s):

  • {BLOCKED}navole.ru