search

TSPY_ZBOT.DEB

September 21, 2010
 Analysis by:
 PLATFORM:

Windows 2000, XP, Server 2003

 OVERALL RISK RATING:
 REPORTED INFECTION:
 SYSTEM IMPACT RATING:
 INFORMATION EXPOSURE:

  • Threat Type: Spyware

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW



It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It adds registry entries to enable its automatic execution at every system startup.
It attempts to steal sensitive online banking information, such as user names and passwords. This routine risks the exposure of the user's account information, which may then lead to the unauthorized use of the stolen data.

  TECHNICAL DETAILS

Initial Samples Received Date:

01 Jan 0001




Arrival Details


It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.



Autostart Technique


It adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
{80E02944-D40A-D783-BC08-661FBD528CD5}=%Application Data%\{random1}\{random}.exe



Information Theft


It accesses the following site to download its configuration file:

  • http://{BLOCKED}oodd.in/browers.bin


It attempts to steal sensitive online banking information, such as user names and passwords. This routine risks the exposure of the user's account information, which may then lead to the unauthorized use of the stolen data.



Installation


It drops the following copies of itself into the affected system:

  • %Application Data%\{random1}\{random}.exe


It creates the following folders:

  • %Application Data%\{random1}

  • %Application Data%\{random2}


It injects itself into the following processes as part of its memory residency routine:

  • explorer.exe


It drops the following non-malicious files:

  • %Application Data%\{random2}\{random}.ucb



Other Details


It did not exhibit backdoor routines during testing.



Other System Modifications


It adds the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\{random}
=

  SOLUTION

Minimum Scan Engine:

8.900

VSAPI OPR PATTERN File:

07.478.01

VSAPI OPR PATTERN Date:

01 Jul 0478



Step 1
For Windows ME and XP users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2
Delete this registry value
[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    • {80E02944-D40A-D783-BC08-661FBD528CD5}=%Application Data%\{random1}\{random}.exe


Step 3
Delete this registry key This step allows you to delete the registry key the malware/grayware/spyware added in the Windows registry.

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_CURRENT_USER\Software\Microsoft\
    • {random}

To delete registry keys this malware/grayware/spyware created:

  1. Open Registry Editor. To do this, click Start>Run, type regedit in the text box provided, then press Enter.
  2. In the left panel of the Registry Editor window, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
  3. Still in the left panel, locate and delete the key:
    {random}
  4. Close Registry Editor.

Step 4
Search and delete these folders This step allows you to search and delete folders created by this malware/grayware/spyware. Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden folders in the search result.
  • %Application Data%\{random1}
  • %Application Data%\{random2}

    • To delete malware/grayware/spyware folders:

    1. Right-click Start then click Search... or Find..., depending on the version of Windows you are running.
    2. In the Named input box, type:
      • %Application Data%\{random1}
      • %Application Data%\{random2}
    3. In the Look In drop-down list, select My Computer, then press Enter.
    4. Once located, select the folder then press SHIFT+DELETE to permanently delete the folder.
    5. Repeat steps 2 to 4 for the remaining folders:
      • %Application Data%\{random1}
      • %Application Data%\{random2}
        •

    Step 5
    Scan your computer with your Trend Micro product to delete files detected as TSPY_ZBOT.DEB If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

    Did this description help? Tell us how we did.