TROJ_ZBOT.AGB

This Trojan attempts to steal information, such as user names and passwords, used when logging into certain banking or finance-related websites.

Arrival Details

This Trojan may be downloaded from the following remote sites:

• http://{BLOCKED}tooper.com/abudabi/uk.exe

Installation

This Trojan adds the following folders:

• %Application Data%\{random folder name 1}
• %Application Data%\{random folder name 2}

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.)

It injects itself into the following processes running in the affected system's memory:

• explorer.exe
• taskhost.exe
• taskeng.exe
• Dwm.exe
• wscntfy.exe
• ctfmon.exe
• rdpclip.exe

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{GUID} = %Application Data%\{random folder name 1}\{random file name}.exe

It drops the following files:

• %Application Data%\{random folder name 1}\{random file name}.exe - copy of itself
• %Application Data%\{random folder name 2}\{random file name} - contains encrypted stolen data

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.)

Other System Modifications

This Trojan adds the following registry keys as part of its installation routine:

HKEY_CURRENT_USER\Software\Microsoft\
{random characters}

It creates the following registry entry(ies) to bypass Windows Firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%Windows%\EXPLORER.EXE = %Windows%\EXPLORER.EXE:*:Enabled:Windows Explorer

Information Theft

This Trojan monitors the Internet Explorer (IE) activities of the affected system, specifically the address bar or title bar. It recreates a legitimate website with a spoofed login page if a user visits banking sites with the following strings in the address bar or title bar:

• *.banking.firstdirect.com*idv_cmd=idv.Authentication
• *.banking.firstdirect.com/1/2/!ut/p/kcxml/*
• *.banking.firstdirect.com/1/2/!ut/p/kcxml/04_Sj9SPykssy*
• *.ebay.*/*eBayISAPI.dll?*
• *.hsbc.co.uk/1/2/*
• *.hsbc.co.uk/1/2/*idv.CustomerMigration
• *.partnerandaffinitycards.co.uk/servicing/Logon.aspx?*
• */CapitalOne_Consumer/*
• */atl.osmp.ru/*
• */login.osmp.ru/*
• */my.ebay.*/*
• */my.ebay.*/*CurrentPage=MyeBayPersonalInfo*
• *commissioncontrol.net*
• *coventrybuildingsociety.co.uk*
• *mybank.alliance-leicester.co.uk*
• *mybank.alliance-leicester.co.uk/move_money/*MM*.asp*
• *mybank.alliance-leicester.co.uk/view_accounts/VA*
• *mybank.alliance-leicester.co.uk/your_payees/YP1point1a.asp*
• *nationet.com/AppServices/SignOn/SignOnProcess*
• *npbs.co.uk*
• *nwolb.com/OneOffPaymentsCreateBillPayee.asp*
• *nwolb.com/login.aspx*
• *rbsdigital.com/AccountSummary.aspx
• *rbsdigital.com/login.aspx*
• *tuxedomoney.com*
• http*://*alliance-leicester.co.uk*
• http*://*cbonline.co.uk*
• http*://*co-operativebank.co.uk*
• http*://*smile.co.uk*
• http*://*ybonline.co.uk*
• https://*.banking.first-direct.com/1/2/balances*
• https://*abbeynational.co.uk*
• https://*ibank.internationalbanking.barclays.com/*
• https://*ulsterbankanytimebanking.*/login.aspx*
• https://*ulsterbankanytimebanking.co.uk/*
• https://cardservicing.tescofinance.com/RBSG_Consumer/UserLogin.do*
• https://cardservicing.tescofinance.com/RBSG_Consumer/VerifyLogin.do*
• https://cardsonline-consumer.com/RBSG_Consumer/*
• https://database.acornmediauk.com/*
• https://home.cbonline.co.uk/ralu/loginmgr/loginQuestion.ctl
• https://home.cbonline.co.uk/ralu/loginmgr/loginSetup.ctl*
• https://home.cbonline.co.uk/ralu/loginmgr/partialPassword.ctl
• https://home.cbonline.co.uk/ralu/loginmgr/partialPassword.ctl*
• https://home.ybonline.co.uk/ralu/loginmgr/loginQuestion.ctl
• https://home.ybonline.co.uk/ralu/loginmgr/loginSetup.ctl*
• https://home.ybonline.co.uk/ralu/loginmgr/partialPassword.ctl
• https://home.ybonline.co.uk/ralu/loginmgr/partialPassword.ctl*
• https://ibank.barclays.co.uk/*
• https://ibank.barclays.co.uk/olb/*/LoginTFA.do
• https://ibank.barclays.co.uk/olb/*/NewPayee.do
• https://ibank.barclays.co.uk/olb/*/NewPaymentSuccess.do
• https://ibank.barclays.co.uk/olb/*/PayBill2.do
• https://ibank.barclays.co.uk/olb/*/PayBill3.do
• https://ibank.barclays.co.uk/olb/*/PayBill3a.do
• https://ibank.barclays.co.uk/olb/*/PersonalFinancialSummary.do?action=*
• https://ibank.barclays.co.uk/olb/*/SelectPaymentAccount.do
• https://ibank.barclays.co.uk/olb/*/SelectPaymentAccount.do?action=New+Payment||Pay+Someone
• https://ibank.barclays.co.uk/olb/*/Statement*
• https://ibank.cahoot.*/servlet/com.aquarius.security.authentication.servlet.LogonServlet*
• https://ibank.cahoot.com/*
• https://ibank.internationalbanking.barclays.com/logon*
• https://my.if.com/*
• https://my.if.com/PlanReviewAct/plan.asp*
• https://my.if.com/_mem_bin/formslogin.asp*
• https://myonlineaccounts*.abbeynational.co.uk/CentralLogonWeb/MyPersonalHomepage*
• https://myonlineaccounts3.abbeynational.co.uk/GPCC_ENS/BtoChannelDriver.ssobto*
• https://olb2.nationet.com*
• https://online-business.lloydstsb.co.uk/actionaccount.ibc*SelectAction=standingorder.ibc
• https://online-business.lloydstsb.co.uk/customer.ibc*
• https://online-business.lloydstsb.co.uk/logon.ibc
• https://online-business.lloydstsb.co.uk/miheld.ibc
• https://online-business.lloydstsb.co.uk/standingorder.ibc*
• https://online-offshore.lloydstsb.com/*
• https://online.islamic-bank.com/online/aspscripts/secret*.asp*
• https://online.lloydstsb.co.u*
• https://online.ybs.co.uk/public/authentication/login2.do*
• https://onlinebanking.firsttrustbank.co.uk/*
• https://secure.ingdirect.co.uk/INGDirect.html?command=displayClientAccountSummary*
• https://secure.ingdirect.co.uk/InitialINGDirect.html*
• https://secure.lloydstsb.co.uk/personal/*
• https://secure.lloydstsb.co.uk/personal/a/account_details/*
• https://secure.lloydstsb.co.uk/personal/a/account_overview/
• https://secure.lloydstsb.co.uk/personal/a/deletepayee/deletepayee.jsp
• https://secure.lloydstsb.co.uk/personal/a/logon/*ntermemorableinformation.jsp
• https://secure.lloydstsb.co.uk/personal/a/makepayment/confirmpayeedetails.jsp
• https://secure.lloydstsb.co.uk/personal/a/makepayment/payeesetupsuccessfully.jsp
• https://secure.lloydstsb.co.uk/personal/a/viewproductdetails/ViewProductDetails.jsp
• https://secure.lloydstsb.co.uk/personal/a/viewproductdetails/ViewProductDetails.jsp?pnlTabpane=1&al=
• https://secure.natweststockbrokers.co.uk/nws-secure2/*
• https://service.oneaccount.com/*/OSV2?event=login&pt=3
• https://service.oneaccount.com/onlineV2/*
• https://service.oneaccount.com/onlineV2/*viewPortal*
• https://uk.virginmoney.com/virgin/service/credit-card/*
• https://welcome10.co-operativebankonline.co.uk/*security?*
• https://welcome23.smile.co.uk/SmileWeb/*
• https://welcome23.smile.co.uk/SmileWeb/passcode.do
• https://welcome27.co-operativebank.co.uk/CBIBSWeb/*
• https://welcome27.co-operativebank.co.uk/CBIBSWeb/fundsTransferCreatePrepare.do*
• https://welcome27.co-operativebank.co.uk/CBIBSWeb/fundsTransferSummaryPrepare.do*
• https://welcome27.co-operativebank.co.uk/CBIBSWeb/loginSpi.do
• https://welcome27.co-operativebank.co.uk/CBIBSWeb/passcode.do
• https://www*.banking.first-direct.com/1/2/*
• https://www.365online.com/servlet/Dispatcher/*
• https://www.365online.com/servlet/Dispatcher/login.htm
• https://www.365online.com/servlet/Dispatcher/login2.htm
• https://www.365online.com/servlet/Dispatcher/validate.htm
• https://www.accessmycardonline.com/RBS_Consumer/*
• https://www.bankcardservices.co.uk/NASApp/NetAccessXX/*
• https://www.bankcardservices.co.uk/NASApp/NetAccessXX/AccountSnapshotScreen?acctID*
• https://www.bankline.coutts.com/CWSLogon/*
• https://www.bankline.coutts.com/CWSLogon/4P/CheckId.do
• https://www.bankline.coutts.com/CWSLogon/4P/CheckPPPP.do
• https://www.bankline.rbs.com/CWSLogon/4P/CheckId.do*
• https://www.bankline.rbs.com/CWSLogon/logon.do*
• https://www.barclayswealth.com/login/action/logon/unauthenticated/personal/loginDetailsNotStored
• https://www.barclayswealth.com/login/action/logon/unauthenticated/personal/loginSigning
• https://www.capitaloneonline.co.uk/*
• https://www.cardonebanking.com/auth*
• https://www.caterallenonline.co.uk/WebAccess.dll
• https://www.citibank.co.uk/*/portal/Index*
• https://www.citibank.co.uk/*/signon/uname/HomePage*
• https://www.edirectdebit.com/administration/client/logon.aspx
• https://www.gruposantander.es/*
• https://www.halifax-online.co.uk/CustomerAuthentication/HxProcessLogin.aspx
• https://www.halifax-online.co.uk/CustomerAuthentication/SecondLevelPhrase.aspx*
• https://www.hsbc.co.uk/1/2/!ut/p/kcxml/*
• https://www.hsbc.co.uk/1/2/*
• https://www.icicibank.co.uk/UKRET/BANKAWAY*
• https://www.moneybookers.com/app/my_account.pl
• https://www.mybusinessbank.co.uk/cs70_banking/*
• https://www.mybusinessbank.co.uk/cs70_banking/logon*
• https://www.mybusinessbank.co.uk/cs70_banking/logon/challenge/submit
• https://www.mybusinessbank.co.uk/cs70_banking/logon/logon/enrollPassword
• https://www.mybusinessbank.co.uk/cs70_banking/logon/logon/password
• https://www.mybusinessbank.co.uk/cs70_banking/logon/logon/pmPassword
• https://www.mybusinessbank.co.uk/cs70_banking/logon/sbuser/getPassword
• https://www.nochex.com/*
• https://www.nwolb.com/*
• https://www.nwolb.com/AccountSummary.aspx
• https://www.nwolb.com/OneOffPaymentsCreatePayee.asp*
• https://www.nwolb.com/OneOffPaymentsCreatePayment.aspx
• https://www.nwolb.com/OneOffPaymentsCreatePayment.aspx*superstar=1
• https://www.nwolb.com/OneOffPaymentsPayeeList.aspx
• https://www.nwolb.com/OneOffPaymentsPayeeList.aspx?start=1
• https://your.egg.com/customer/personaldetails/yourinformation.aspx
• https://your.egg.com/customer/yourmoney.aspx

It accesses the following site to download its configuration file:

• http://{BLOCKED}vanced-cfg1.com/san-paulu/uk.db
• http://{BLOCKED}vanced-cfg2.com/sahir/uk.db
• http://{BLOCKED}vanced-cfg3.com/spa/uk.db
• http://{BLOCKED}vanced-cfg4.com/suzuka/uk.db
• http://{BLOCKED}vanced-cfg5.com/stambul/uk.db

It attempts to steal information from the following banks and/or other financial institutions:

• Alliance & Leicester
• Bank of Ireland - 365 Online
• Barclays
• Cahoot
• Capital One
• Cater Allen
• Citibank
• Clydesdale
• Co-Operativebank
• Coutts Bankline
• Coventry Building Society
• Ebay
• Egg
• First Direct
• First Trust Bank
• HSBC
• Halifax
• ICICI Bank
• ING Direct
• Intelligent Finance
• Islamic Bank
• Lloyds
• Moneybookers
• NatWest Stockbrokers
• Nationwide
• Natwest
• Nochex
• Norwich and Peterborough Building Society
• OSPM
• RBS
• Santander
• Smile
• Tesco Bank
• Tuxedo Money Solutions
• Virgin Money
• Yorkshire
• eDirectDebit

Drop Points

Stolen information is uploaded to the following websites:

• http://{BLOCKED}.226.{BLOCKED}.24/~hosting/woops/ttf.php

Other Details

This Trojan does the following:

• Adds the following registry entries to disable Internet Explorer (IE):

  HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter
  Enabled = 0
  EnabledV8 = 0

• Steals the following information:
  • Personal certificates (MY)
  • FTP credentials for the following FTP applications:
    • FlashXP
    • Ghisler
    • IPSwitch
    • Filezilla
    • FTPFar
    • WinSCP
    • FTPCommander
    • CoreFTP
    • SmartFTP
  • Flash player data
  • Internet session cookies

Variant Information

This Trojan has the following MD5 hashes:

• d8f324072fd5f479e42d298284a7bb08
• de62f8894967531d68b95e0e3aa33609

It has the following SHA1 hashes:

• 0a82a7845f39733e0bdea76d860ab468366918ca
• 4dae6e74aa1a1c74c9f573cc545eecf95ac17119