Analysis by: Jaime Benigno Reyes
ALIASES:

PWS:Win32/Zbot.gen!Y (Microsoft), PWS-Zbot.gen.ary (McAfee)

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 REPORTED INFECTION:
 SYSTEM IMPACT RATING:
 INFORMATION EXPOSURE:

  • Threat Type: Spyware

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes then deletes itself afterward.

It modifies the Internet Explorer Zone Settings.

  TECHNICAL DETAILS

Tamaño del archivo 297,472 bytes
Tipo de archivo EXE
Residente en memoria Yes
Fecha de recepción de las muestras iniciales 22 Mar 2013

Arrival Details

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This spyware drops the following files:

  • %Application Data%\{random folder 2}\{random file name 2}.{random extension name}
  • %Application Data%\{random folder 3}\{random file name 3}.{random extension name}

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

It drops the following copies of itself into the affected system:

  • %Application Data%\{random folder 1}\{random file name 1}.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

It creates the following folders:

  • %Application Data%\{random folder 1}
  • %Application Data%\{random folder 2}
  • %Application Data%\{random folder 3}

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

It executes then deletes itself afterward.

Autostart Technique

This spyware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random} = "%Application Data%\{random folder 1}\{random file name 1}.exe"

Other System Modifications

This spyware adds the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\
{random key}

Web Browser Home Page and Search Page Modification

This spyware modifies the Internet Explorer Zone Settings.

Other Details

This spyware connects to the following possibly malicious URL:

  • {BLOCKED}a.ru
  • {BLOCKED}att.ru
  • {BLOCKED}tupa.com
  • {BLOCKED}ock.ru
  • {BLOCKED}m.{BLOCKED}o.am
  • {BLOCKED}n.ru
  • {BLOCKED}akt2.ru
  • { BLOCKED}m.ru
  • {BLOCKED}imus.ru
  • {BLOCKED}n.org
  • {BLOCKED}.{BLOCKED}ka.ru
  • {BLOCKED}kirovatdostup.ru
  • http://{random}.com/{random}/{random}.php
  • http://{BLOCKED}b.{BLOCKED}up.com/web/newsfeeds.php