TSPY_ZBOT.ZL

October 09, 2012
 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 REPORTED INFECTION:
 SYSTEM IMPACT RATING:
 INFORMATION EXPOSURE:

  • Threat Type: Spyware

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

A spyware is a program that monitors and gathers user information for different purposes. Spyware programs usually run in the background, with their activities transparent to most users. Many users inadvertently agree to installing spyware by accepting the End User License Agreement (EULA) on certain free software.

Many users consider spyware an invasive form of data gathering. Spyware may also cause a general degradation in both network connection and system performance.

The state of California classifies spyware as: programs that are installed under deceptive circumstances; software that hides in personal computers; software that secretly monitors user activity; keylogging software; and software that collects Web browsing histories.

  TECHNICAL DETAILS

File Size:

88,064 bytes

Memory Resident:

Yes

Initial Samples Received Date:

24 Nov 2008

Installation

This spyware drops the following copies of itself into the affected system:

  • %System%\twext.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It drops the following file(s)/component(s):

  • %System Root%\Documents and Settings\LocalService\Application Data\twain_32\user.ds
  • %System%\twain_32\local.ds
  • %System%\twain_32\user.ds

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It creates the following folders:

  • %System Root%\Documents and Settings\LocalService\Application Data\twain_32
  • %System%\twain_32

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Autostart Technique

This spyware modifies the following registry entry(ies) to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Userinit = "%System%\userinit.exe,%System%\twext.exe,"

(Note: The default value data of the said registry entry is %System%\userinit.exe,.)

Other System Modifications

This spyware also creates the following registry entry(ies) as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Network
UID = "{Computer Name}_{Random ID}"

HKEY_USERS\.DEFAULT\Software\
Microsoft
Protected Storage System Provider =

HKEY_USERS\.DEFAULT\Software\
Microsoft\Windows\CurrentVersion\
Explorer
{19127AD2-394B-70F5-C650-B97867BAA1F7} =

HKEY_USERS\.DEFAULT\Software\
Microsoft\Windows\CurrentVersion\
Explorer
{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} =

Download Routine

This spyware connects to the following URL(s) to download its configuration file:

  • http://{BLOCKED}oous.ru/pavel/conf.bin