TSPY_ZBOT.EZQA

This spyware attempts to steal information, such as user names and passwords, used when logging into certain banking or finance-related websites.

Arrival Details

This spyware may be downloaded from the following remote sites:

• http://{BLOCKED}desh.com/newz/teasty.exe

Installation

This spyware adds the following folders:

• %Application Data%\{random1}
• %Application Data%\{random2}

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

It injects itself into the following processes running in the affected system's memory:

• explorer.exe
• taskhost.exe
• taskeng.exe
• Dwm.exe
• wscntfy.exe
• ctfmon.exe
• rdpclip.exe

Autostart Technique

This spyware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{GUID of mount point of %Windows%} = %Application Data%\{random1}\{random}.exe

It drops the following files:

• %Application Data%\{random1}\{random}.exe - copy of itself
• %Application Data%\{random2}\{random} - contains encrypted stolen data

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

Other System Modifications

This spyware creates the following registry entry(ies) to bypass Windows Firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%WINDOWS%\\EXPLORER.EXE = %WINDOWS%\EXPLORER.EXE:*:Enabled:Windows Explorer

Information Theft

This spyware monitors the Internet Explorer (IE) activities of the affected system, specifically the address bar. It recreates a legitimate website with a spoofed login page if a user visits banking sites with the following strings in the address bar and/or title bar:

• *banking.bankofscotland.co.uk/Logon/Logon.aspx*
• *https://banking.postbank.de/app/finanzstatus.init.do;jsessionid*
• *postbank.de*
• *schwab.com/*
• http*.53.com*
• http*.53.com*RSAScript.js*
• http*.webcashmanager.com*Login*
• http*.webcashmgmt.com*Login*
• http*/phcp/econnection/login/js/login.htm*
• http*/phcp/servlet*Login*
• http*/wcmfd/*Login*
• http*/wcmfd/js/LoginCSS.js*
• http*://*hsbc.co.uk*
• http*://www.hsbc.co.uk/1/2*
• http*bolb.associatedbank.com*
• http*bolb.associatedbank.com/js/jquery.js*
• http*business-eb.ibanking-services.com*general.js*
• http*business-eb.ibanking-services.com/K1/*login*jsp*
• http*ebanking-services.com/*
• http*ebanking-services.com/AUTH/WebResource.axd*
• http*scripts/injScp.js*
• http*sso.uboc.com/js/ub-common.js*
• http*sso.uboc.com/obc/forms/login.fcc*
• http*treasury.pncbank.com/portal/esec/login.ht*
• http*treasury.pncbank.com/portal/service/js/loginproc.js*
• http*www.northerntrust.com/*
• http*www.northerntrust.com/incs/scripts.js
• http*www3683.ntrs.com*
• http://eigach.ru/script.js
• https*/pub/html/login.html*
• https://*.web-access.com*welcome.cgi*
• https://*/cmserver*verify.cfm*
• https://*/onlineserv/CM/*
• https://*/onlineserv/CM/std/js/en/disofactor.js*
• https://*Cashman*
• https://*blilk.com/Core/Authentication/MFA*.aspx*
• https://*blilk.com/include/Utils.js*
• https://*cashman*
• https://*cmserver/include/ui/uiScripts.js*
• https://*login_ui_includes/login_brandScripts.js*
• https://authmaster.nationalcity.com/tmgmt/js/bharosa_uio.js*
• https://authmaster.nationalcity.com/tmgmt/wslogin.jsp*
• https://businessonline.huntington.com/BOLHome/BusinessOnlineLogin.aspx*
• https://businessonline.huntington.com/common/scripts/common.js*
• https://businessonline.tdbank.com/CorporateBankingWeb/VAM/2_0_2/VAM.js*
• https://businessonline.tdbank.com/corporatebankingweb/core/login.aspx*
• https://cashmgt.firsttennessee.biz/cb/servlet/cb/login.jsp*
• https://cbs.firstcitizens.com/cb/jsp-ns/inc/auth/fp.js*
• https://cbs.firstcitizens.com/cb/servlet/cb/loginfcbnc.jsp*
• https://commercial.wachovia.com/Online/Financial/Business/Service?action=Login*
• https://commercial.wachovia.com/Online/Registration/jsinclude/bidata.js
• https://direct.bankofamerica.com/BofaDirect/javascript/js.util.uiutils.js*
• https://direct.bankofamerica.com/Core/servlet/BofaDirect.BankofAmericaDirect.BankofAmericaDirectServlet?page=PgLogin*
• https://ecash.*
• https://internetbanking.firsttennessee.biz/webcm/customer1.asp*
• https://olb.gnty.com/Login/Username.aspx*
• https://premierview.membersunited.org/Core/login.aspx*
• https://premierview.membersunited.org/WebResource.axd*
• https://securentrycorp.*/Authentication/lib.js*
• https://securentrycorp.*/Authentication/zbf/k/*
• https://singlepoint.usbank.com/cs70_banking/logon/sbuser*
• https://singlepoint.usbank.com/cs70_banking/user/script/login.js*
• https://treas-mgt.frostbank.com/rdp/cgi-bin/welcome.cgi*
• https://www.commercial.hsbc.com.hk/1/2/!ut/p/kcxml/*
• https://www.commercial.hsbc.com.hk/1/themes/html/b2gjs/WT_top_section.js*
• https://www.corporatebanking.firsttennessee.com/cb/servlet/cb/jsp-ns/login.jsp*
• https://www.halifax-online.co.uk/MyAccounts/*
• https://www.halifax-online.co.uk/MyAccounts/MyAccounts.aspx*
• https://www.halifax-online.co.uk/_mem_bin/formslogin.asp
• https://www.nationalcity.com/consultnc/*
• https://www.nationalcity.com/sharedApp/js/isEmpty.js*
• https://www.us.hsbc.com/1/2/3/business/online/business-internet-banking/log-on*
• https://www.us.hsbc.com/1/themes/html/hbus_common/HSBC-top_section.js*
• https://www3683.ntrs.com/ptl/ptl/javascript/NavigationMenuScripts.js*
• https://www8.comerica.com/*
• https://www8.comerica.com/images/sdc.js

It accesses the following site to download its configuration file:

• http://{BLOCKED}adnyiglaz.com/wetu.img
• http://{BLOCKED}aothuia.com/weyu.img
• http://{BLOCKED}zhope.com/wey.img
• http://{BLOCKED}emm.com/wey.img
• http://{BLOCKED}mburr.com/wey.img

It attempts to steal information from the following banks and/or other financial institutions:

• ANZ
• Bank of America
• Fifth Third
• HSBC
• Halifax
• National City
• PNC
• US Bank
• Union Bank of California
• Wachovia

Drop Points

Stolen information is uploaded to the following websites:

• http://{BLOCKED}desh.com/newz/vnaevb8a3v4.php

Other Details

This spyware does the following:

• It adds the following registry key as part of its installation routine:
  

  HKEY_CURRENT_USER\Software\Microsoft\{random}

• It adds the following registry entries to disable IE PhishingFilter:

  HKEY_CURRENT_USER\Software\Microsof\Internet Explorer\PhishingFilter Enabled =0
  HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\PhishingFilter EnabledV8 =0

• It is also capable of stealing the following information:
  
  • Personal Certificates (MY)
  • FTP credentials for the following FTP applications:
  • flashxp
  • ghisler
  • ipswitch
  • filezilla
  • ftpfar
  • winscp
  • ftpcommander
  • coreftp
  • smartftp
  • Flashplayer data
  • Internet session cookies

Variant Information

This spyware has the following MD5 hashes:

• 8c1856658ddfbac66f9c81aeaafa4533

It has the following SHA1 hashes:

• 2b009f600ff0705f1e8f78360599e82ccf011f1e