TSPY_ZBOT.ZL
Windows 2000, Windows XP, Windows Server 2003

Threat Type: Spyware
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
A spyware is a program that monitors and gathers user information for different purposes. Spyware programs usually run in the background, with their activities transparent to most users. Many users inadvertently agree to installing spyware by accepting the End User License Agreement (EULA) on certain free software.
Many users consider spyware an invasive form of data gathering. Spyware may also cause a general degradation in both network connection and system performance.
The state of California classifies spyware as: programs that are installed under deceptive circumstances; software that hides in personal computers; software that secretly monitors user activity; keylogging software; and software that collects Web browsing histories.
TECHNICAL DETAILS
88,064 bytes
Yes
24 Nov 2008
Installation
This spyware drops the following copies of itself into the affected system:
- %System%\twext.exe
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
It drops the following file(s)/component(s):
- %System Root%\Documents and Settings\LocalService\Application Data\twain_32\user.ds
- %System%\twain_32\local.ds
- %System%\twain_32\user.ds
(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
It creates the following folders:
- %System Root%\Documents and Settings\LocalService\Application Data\twain_32
- %System%\twain_32
(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
Autostart Technique
This spyware modifies the following registry entry(ies) to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Userinit = "%System%\userinit.exe,%System%\twext.exe,"
(Note: The default value data of the said registry entry is %System%\userinit.exe,.)
Other System Modifications
This spyware also creates the following registry entry(ies) as part of its installation routine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Network
UID = "{Computer Name}_{Random ID}"
HKEY_USERS\.DEFAULT\Software\
Microsoft
Protected Storage System Provider =
HKEY_USERS\.DEFAULT\Software\
Microsoft\Windows\CurrentVersion\
Explorer
{19127AD2-394B-70F5-C650-B97867BAA1F7} =
HKEY_USERS\.DEFAULT\Software\
Microsoft\Windows\CurrentVersion\
Explorer
{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} =
Download Routine
This spyware connects to the following URL(s) to download its configuration file:
- http://{BLOCKED}oous.ru/pavel/conf.bin