arrow_back
search
close

TSPY_ZBOT.ACL

January 04, 2009
 PLATFORM:

Windows 98, ME, NT, 2000, XP, Server 2003

 OVERALL RISK RATING:
 REPORTED INFECTION:
 SYSTEM IMPACT RATING:
 INFORMATION EXPOSURE:

  • Threat Type: Spyware

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Trend Micro has flagged this {malware/spyware type} as noteworthy due to the increased potential for damage, propagation, or both, that it possesses. Specifically, {insert explanation for NW).



To get a one-glance comprehensive view of the behavior of this Spyware, refer to the Threat Diagram shown below.



This Spyware creates folders where it drops its files.



It modifies registry entries to enable its automatic execution at every system startup.



It logs a user's keystrokes to steal information.



It checks for the presence of the following processes which are related to Outpost Personal Firewall and ZoneLabs Firewall Client. It terminates if either of the said processes exist. This is to ensure that it runs uninterrupted.



  TECHNICAL DETAILS

File Size:

474112 bytes

Memory Resident:

Yes

Initial Samples Received Date:

17 Dec 2009


Arrival Details


This Spyware may be downloaded from the following remote sites:

  • http://{BLOCKED}-klasa.cn/zsadmin/loader.exe



Installation


This Spyware adds the following mutexes to ensure that only one of its copies runs at any one time:

  • __SYSTEM__91C38905__


It drops the following files:

  • %System%\wsnpoem\audio.dll
  • %System%\wsnpoem\video.dll

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)


It drops the following copies of itself into the affected system:

  • %System%\NTOS.EXE

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)




Autostart Technique


This Spyware modifies the following registry entries to ensure it automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Userinit = %System%\Userinit.exe,%System%\ntos.exe,

(Note: The default value data of the said registry entry is %System%\Userinit.exe,.)



Other System Modifications


This Spyware adds the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Network
UID = {Computer name}_{Random numbers}



Download Routine


This Spyware connects to the following URL(s) to download its configuration file:

  • http://{BLOCKED}ame.cn/zzz1/poxcfg.bin



Information Theft


This Spyware


It accesses the following site to download its configuration file:


    Note that the contents of the file, hence the list of Web sites to monitor, may change any time.


    It logs a user's keystrokes to steal information.



    Stolen Information


    This Spyware

    • %System%\wsnpoem\audio.dll

    (Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)



    Drop Points


    This Spyware

    • http://{BLOCKED}-klasa.cn/zsadmin/snd.php


    Other Details


    This Spyware checks for the presence of the following processes, which are related to Outpost Personal Firewall and ZoneLabs Firewall Client:

    • outpost.exe
    • zlclient.exe


    It did not exhibit backdoor routines during testing.



    Variant Information


    This Spyware has the following MD5 hashes:

    • b9174fd26bc6fe3453c3a00b3ba11a99


    It has the following SHA1 hashes:

    • df104a090649f88dde597521e77ace400390758b


      SOLUTION

    Minimum Scan Engine:

    8.900

    VSAPI OPR PATTERN File:

    5.755.00


    Step 1


    For Windows ME and XP users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.


    Step 2


    Restart in Safe Mode

    [ Learn More ]


    Step 3


    Restore this modified registry value

    [ Learn More ]

    Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer"s registry.

    • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
      • From: Userinit = %System%\Userinit.exe,%System%\ntos.exe,
        To: Userinit = %System%\Userinit.exe,


    Step 4


    Delete this registry value

    [ Learn More ]

    Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer"s registry.

    • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network
      • UID = {Computer name}_{Random numbers}


    Step 5


    Scan your computer with your Trend Micro product to delete files detected as
    TSPY_ZBOT.ACL

    *Note: If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


    Did this description help? Tell us how we did.