TSPY_ZBOT.AXW

Download the latest scan engine

TypeSpyware

In the wild: No

Destructive: No

Language: English

Systems affected: Windows NT, 2000, XP, Server 2003

Encrypted: No

Overall risk rating:

Low

Reported detections:

Low

System  impact:

High

Information exposure:

Low
 

Description:

This spyware arrives as a file downloaded from a specific Web site.

When run, it drops several files, including a copy of itself, onto the affected system. It also appends garbage code to the dropped copy to avoid easy detection. It makes several changes to the Windows registry, one of which allows this spyware to run at every system startup.

It attempts to download a file that contains information where the spyware can download an updated copy of itself, and where to send its stolen data. The configuration file also contains a list of targeted Web sites to monitor from which it steals information.

The stolen information is saved on a file on the affected system before being sent to a specific server via HTTP POST.



TECHNICAL DETAILS



Initial samples received on:  Feb 26, 2009

File type: PE

Memory resident: Yes  

File size: 395,776 bytes

Payload 1Connects to a URL

Details:

Infection Points

This spyware arrives as a file downloaded from the following URLs:

  • http://{BLOCKED}9.cn/spartak/out/ldr.exe
  • https://{BLOCKED}.abuse.ch/file.exe

Installation and Autostart Technique

Upon execution, this spyware drops a copy of itself in the system folder as TWEXT.EXE and appends garbage code to the dropped copy to avoid easy detection. It also creates the following folders:

  • %System%\twain_32
  • %System%\lowsec

(Note: %System% is the Windows system folder, which is usually C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

The attributes of the created folders are set to System and Hidden to prevent users from discovering and removing its components. It then creates the following non-malicious files:

  • %System%\twain_32\local.ds - copy of the encrypted downloaded file
  • %System%\twain_32\user.ds - used to save the gathered information
  • %System%\lowsec\user.ds - used to save the gathered information
  • %System%\lowsec\local.ds - copy of the encrypted downloaded file

It modifies the following registry entry to enable its automatic execution at system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon
Userinit = "%System%\Userinit.exe,%System%\twext.exe,"

(Note: The default value data of the said registry entry is %System\Userinit.exe,.)

It also creates the following registry keys/entries as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Network
UID = "(Computer name}_{Random numbers}"

HKEY_USERS\.DEFAULT\Software\Microsoft\Protected Storage System Provider

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\
Explorer\{00000000-DCFF-DD00-F399-837C709A807C}

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\
Explorer\{0060FD7F-DCFF-DD00-F399-837C709A807C}

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\
Explorer\{9C030000-DCFF-DD00-F399-837C709A807C}

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\
Explorer\{A4030000-DCFF-DD00-F399-837C709A807C}

It injects itself into the legitimate WINLOGON.EXE and SVCHOST.EXE processes as part of its memory residency routine.

Information Theft Routine

This spyware attempts to access the following Web sites to download a file:

  • http://{BLOCKED}9.cn/spartak/out/cfg.bin
  • http://www.bestplace.in/images/new.jpg

The said file contains information where the spyware can download an updated copy of itself, and where to send its stolen data. The configuration file also contains a list of targeted Web sites to monitor from which it steals information. These sites are:

  • !*.bebo.com*
  • !*.facebook.com*
  • !*.google.com*
  • !*.microsoft.com/*
  • !*.msn*
  • !*.trafficexplorer.com*
  • !*.trueadvantage*
  • !*superiorads.biz*
  • !http://*myspace.com*
  • *.co-operativebank.co.uk/CBIBSWeb/login.do
  • *.co-operativebank.co.uk/CBIBSWeb/start.do
  • *.de/portal/portal/*
  • *.microsoft.com/*
  • *.nationet.com/*
  • *.netbank.commbank.com.au/netbank/bankmain*
  • *.smile.co.uk/SmileWeb/login.do*
  • *.smile.co.uk/SmileWeb/login.do
  • *.smile.co.uk/SmileWeb/start.do
  • *53.com*
  • *abacus.org.au*
  • *abetterdeal.com*
  • *abnamro.com*
  • *abnamroresearch.com*
  • *abr.gov.au*
  • *absbuildingsociety.com*
  • *absonline.absbuildingsociety.com.au*
  • *advance.com*
  • *advisernet.com.au*
  • *advisers.lifeplan.com.au*
  • *alcu.com*
  • *alliance-leicester.co.uk*
  • *americanexpress.com/home/fallback*
  • *ameshardie.com.au*
  • *amgbank.com*
  • *amp.com.au/vgn-ext-templating/v/index.jsp*
  • *ampbanking.com.au*
  • *anz.com*
  • *arabbank.com*
  • *asdafinance.com*
  • *asia-connexis.bnpparibas.com*
  • *auslan.org.au*
  • *australcu.com*
  • *australiancu.com*
  • *awacu.com*
  • *b-e.com*
  • *bank.eldersruralbank.com.au*
  • *bankdirect.co.nz*
  • *banking#.anz.com/IBAU/BANKAWAY*Action.ANZRetUser.External.SignOn*
  • *banking#.anz.com/IBAU/BANKAWAYTRAN;jsessionid=*
  • *banking.first-direct.com/1/2/*
  • *banking.postbank.de/app/auslandsauftrag.init.do*
  • *banking.postbank.de/app/auslandsauftrag.prep.do*
  • *banking.postbank.de/app/finanzstatus.init.do*
  • *banking.postbank.de/app/finanzstatus.sicherheitshinweis.init.do*
  • *banking.postbank.de/app/kontoumsatz.umsatz.init.do*
  • *banking.postbank.de/app/legitimation.exec.do*
  • *banking.postbank.de/app/limit.init.do*
  • *banking.postbank.de/app/limit.prep.do*
  • *banking.postbank.de/app/login.do*
  • *banking.postbank.de/app/ueberweisung.init.do*
  • *banking.postbank.de/app/ueberweisung.prep.do*
  • *banking.postbank.de/app/welcome.do*
  • *bankmelb.com*
  • *bankofamerica.com*
  • *bankofcyprus.com*
  • *bankstowncc.com.au*
  • *barclays.co.uk*
  • *bblfm.com*
  • *bbt.com*
  • *bccu.com*
  • *bcu.com*
  • *bendigobank.com*
  • *bnz.co.nz*
  • *bnza.com*
  • *boq.com.au*internet_banking_fraud_jump_page*
  • *bs.bankwest.com.au/BWLogin/rib.aspx*
  • *btal.com*
  • *cafbank.org*
  • *cafonline.org*
  • *calarecu.com*
  • *capricorniacu.com*
  • *cbonline.co.uk*
  • *chase.com*
  • *citibank.com*
  • *citizensbankonline.com*
  • *co-operativebank.co.uk*
  • *coastline.com*
  • *colonial.com.au*
  • *colonialfirststate.com.au*
  • *colonialgearedinvestments.com*
  • *commbiz.com*
  • *commerceonlinebanking.com*
  • *communitycps.com*
  • *communityfirst.com*
  • *companion.com*
  • *comtax.com*
  • *connectcreditunion.com*
  • *countryfirst.com.au*
  • *cpscu.com*
  • *cpsinternetbanking.com.au*
  • *credit-suisse.com*
  • *creval.it/login2007/loginsiciliano.asp*
  • *cs.directnet.com*
  • *cua.com*
  • *cucanb.com*
  • *cudrc.com*
  • *cuviewpoint.net*
  • *daib.dataaction.com*
  • *defcredit.com*
  • *deutschebank.com*
  • *deutschebank.com.au*
  • *dnister.com*
  • *dragondirect.com*
  • *easystreet.com*
  • *ebank.adcu.com*
  • *ebanking.pcu.com*
  • *ebay.com/*
  • *ecreditcoop.com*
  • *ecu.com*
  • *eldersruralbank.com*
  • *encompasscu.com*
  • *enett1.com*
  • *erbonline.com*
  • *ezybanking.com*
  • *familyfirst.com*
  • *fccs.com*
  • *firecu.com*
  • *firstchoicecu.com.au*
  • *firstpacific.com*
  • *flickyourbank.com*
  • *gatewaycu.com*
  • *gpscu.com*
  • *greater.com*
  • *halifax-online.co.uk*
  • *hccu.com*
  • *heritageisle.com*
  • *heritageonline.com*
  • *hiberniancu.com.au*
  • *homeequityaccess.com*
  • *horizon.org.au*
  • *hsbc.co.uk*
  • *hsbc.com*
  • *hsl.com*
  • *https://banking.postbank.de/app/welcome.do*
  • *huntermutual.com*
  • *hunterunited.com.au*
  • *ib.bigsky.net.au*
  • *ib.boq.com*
  • *ib.boq.com.au/boqws/boqbl*
  • *ib.malenycu.com.au*
  • *ib.nab.com.au/nabib/loginProcess.ctl*
  • *ibank.humebuild.com.au*
  • *ibank.melbcdf.com.au*
  • *ibanking.banksa.com.au*
  • *ibanking.elcomcu.com.au*
  • *ibanking.stgeorge.com.au*
  • *ibanking.tiofi.com.au*
  • *ibanking.warwickcreditunion.com.au*
  • *ibs.omnift.com.au*
  • *iconz.co.nz*
  • *illawarracu.com*
  • *imb.com*
  • *imcu.com*
  • *indigobank.com.au*
  • *inetbank.net.au*
  • *inetbnkp.adelaidebank.com.au*
  • *ingbank.com*
  • *ingdirect.com*
  • *intechcu.com*
  • *internetbanking.suncorpmetway.com.au*
  • *internetbanking.suncorpmetway.com.au/sml/logon.asp*
  • *investec.com*
  • *investoronline.info*
  • *islamic-bank.com*
  • *itaus.com*
  • *karpaty.com*
  • *kiwibank.co.nz*
  • *laiki.com*
  • *latrobecountry.com*
  • *lifeplan.com*
  • *lloydstsb.co.uk*
  • *lysaghtcu.com*
  • *macquarie.com*
  • *macquariecu.com*
  • *maitlandmutual.com*
  • *malenycu.com*
  • *manlyunitedfc.com*
  • *maritimecu.com*
  • *maroondahcredit.com*
  • *mcu.com*
  • *mcudirect.com*
  • *mecu.com*
  • *medibank.com.au*
  • *memberfirst.com*
  • *membersequity.com*
  • *membersequitybank.com*
  • *mmlogin.jpmorgan.com*
  • *motoring.racv.com*
  • *mpbs.com.au*
  • *mucu.com*
  • *mvp.capecu.com.au*
  • *mvp.gatewaycu.com.au*
  • *mwcu.com*
  • *mycitycoast.com*
  • *nabgroup.com*
  • *national.com*
  • *nationalcity.com*
  • *necu.com*
  • *netaccess-au.csam.com*
  • *netaccess.qtcu.com.au*
  • *netaccess2.qtcu.com.au*
  • *netbank.commbank.com.au/netbank/bankmain*
  • *netbank.qpcu.org.au*
  • *netdirect.maitlandmutual.com.au*
  • *netteller.tsw.com.au/SUTHCUV45/ntv45.asp?WCI=entry*
  • *netteller2.tsw.com.au/803205/ntv4.asp?WCI=entry*
  • *newcastlepermanent.com*
  • *nicu.com*
  • *novacu.com*
  • *nwolb.com*
  • *olb.au.virginmoney.com*
  • *online.afgmm.com*
  • *online.coastline.com*
  • *online.hbs.net.au*
  • *online.hbs.net.au/HBSV45/NTV45.ASP?WCI=entry*
  • *online.mecu.com.au/daib/logon/cu3140/logon.asp*
  • *online.qccu.com.au/login*
  • *online.savingsloans.com.au*
  • *online.swscu.com*
  • *online.westpac.com.au*
  • *onlineteller.cu.com.au*
  • *oranacu.com*
  • *orangecu.com*
  • *paypal*
  • *paypal.com*
  • *pc-easynet.policecredit.com.au*
  • *pcaccess.summerland.com.au*
  • *pcu.com*
  • *pennybank.com*
  • *phoenixcreditunion.com*
  • *plentycredit.com*
  • *pncs.com*
  • *policecu.com*
  • *powercu.com*
  • *powerstate.com*
  • *ppbsl.com.au*
  • *qantascu.com*
  • *qccu.com.au*
  • *qldprofcu.com*
  • *qnet.qldprofcu.com*
  • *qnet.qldprofcu.com.au*
  • *queenslanders.org.au*
  • *rabobank.com*
  • *railcu.org*
  • *railnet.railcu.org.au*
  • *railwayscreditunion.com*
  • *rbsint.com*
  • *regionalone.com*
  • *reliance.com*
  • *resourcescu.com*
  • *rtascu.com*
  • *sa.gov.au*
  • *satisfac.com*
  • *sccu.com.au*
  • *secure.accu.com.au*
  • *secure.ampbanking.com/au/Logon*
  • *secure.mystate.com.au*
  • *secure.technocash.com.au*
  • *selectcu.com*
  • *sgecu.com*
  • *shellcu.com*
  • *smcu.com*
  • *smile.co.uk*
  • *somb.com*
  • *sscecu.com*
  • *standardlife.com*
  • *statewest.com*
  • *stmarysco.com*
  • *stuckynet.cnb.com*
  • *suntrust.com*
  • *sutherlandcu.com*
  • *swcredit.com*
  • *swscu.com*
  • *sydneycu.com*
  • *tabcu.com*
  • *tafecu.com*
  • *tafecu.com.au*
  • *teacherscreditunion.com*
  • *theaa.com*
  • *therock.com.au*
  • *transcomm.com*
  • *tsw.com*
  • *uhsbc.com/*
  • *unicomcu.com*
  • *unicredit.com*
  • *unicu.org.au*
  • *unitedcredit.com*
  • *vic.computerbank.org.au*
  • *victeach.com*
  • *wachovia.com*
  • *wamu.com*
  • *wellsfargo.com*
  • *widebaycap.com.au*
  • *wmcu.com*
  • *ybonline.co.uk*
  • @*accu.com.au*
  • @*adcu.com.au*
  • @*adelaidebank.com.au*
  • @*coastline.com.au*
  • @*cpsinternetbanking.com.au*
  • @*cucanb.com.au/socu*
  • @*dataaction.com.au*
  • @*factor2.inetbank.net.au*
  • @*greater.com*
  • @*humebuild.com.au*
  • @*imb.com.au*
  • @*inetbank.net.au*
  • @*ingdirect.com.au*
  • @*mecu.com.au*
  • @*membersequitybank*
  • @*online.hbs.net.au*
  • @*qantascu.com.au*
  • @*qtcu.com.au*
  • @*savingsloans.com.au*
  • @*secure.mystate.com.au*
  • @*sydneycu.com.au*
  • @*tsw.com.au*
  • @*widebayaust.com.au*
  • f*citibank.de*
  • http*://*.mcafee.com/*
  • http://*myspace.com*
  • http://help.lloydstsb.com/ltsb/default.htm?context=q001lo
  • http://www.alliance-leicester.co.uk/customer-service/financial-services-compensation-scheme%20.aspx
  • http://www.banquepopulaire.fr/
  • http://www.credem.it/OneToOne/ebank/functions/n_home/home_ma.jsp?IND=home_credem
  • http://www.credem.it/OneToOne/ebank/functions/n_home/home_ma.jsp?IND=security_pass
  • http://www.lloydstsb.com/security.asp
  • http://www.occitane.banquepopulaire.fr/InfoCyberPlus/CyberPlus/Navigation.htm
  • http://www.occitane.banquepopulaire.fr/InfoCyberPlus/CyberPlus/Securite.htm
  • https://*dcu.com*
  • https://*egg.com/customer*
  • https://*hsbc.co.uk/1/2/*
  • https://*nwolb.com*
  • https://*online.lloydstsb.co.uk*
  • https://*ubl.com.pk/ebank/login*
  • https://*usbank.com/internetBanking/LoginRouter
  • https://*wellsfargo.com/*
  • https://allied.direct.abl.com.pk/*
  • https://areasegura.banif.es/bog/bogbsn*
  • https://bancaonline.openbank.es/servlet/PProxy?*
  • https://banesnet.banesto.es/*/loginEmpresas.htm
  • https://banking.*/cgi/_euueberweisung.cgi*
  • https://banking.*/cgi/_sepaueberweisung.cgi*
  • https://banking.*/cgi/anfang.cgi*
  • https://banking.*/cgi/euuebereintrag.cgi*
  • https://banking.*/cgi/euueberfrage.cgi*
  • https://banking.*/cgi/euueberweisung.cgi*
  • https://banking.*/cgi/kontodetails.cgi*
  • https://banking.*/cgi/login.cgi*
  • https://banking.*/cgi/sepauebereintrag.cgi*
  • https://banking.*/cgi/sepaueberfrage.cgi*
  • https://banking.*/cgi/sepaueberweisung.cgi*
  • https://banking.*/cgi/uebereintrag.cgi*
  • https://banking.*/cgi/umsatz.cgi*
  • https://banking.*/cgi/umswahl.cgi*
  • https://brokerage.comdirect.de/servlet/*TAN*
  • https://cardsonline-consumer.com/RBSG_Consumer/VerifyLogin.do
  • https://carnet.cajarioja.es/banca3/tx0011/0011.jsp
  • https://cipehb*.cdg.citibank.de/HomeBanking*?_D=WorkArea&*
  • https://client.hsbc.fr/cgi-bin/emcgi?sessionid*
  • https://easyweb*.tdcanadatrust.com/servlet/*FinancialSummaryServlet*
  • https://ebank.dibpak.com/ebank/getPasswordLenth.do*
  • https://empresas.gruposantander.es/WebEmpresas/nueva_imagen/index.jsp
  • https://extranet.banesto.es/*/loginParticulares.htm
  • https://extranet.banesto.es/npage/OtrosLogin/LoginIBanesto.htm
  • https://finanzportal.fiducia.de/ebanking*Action=*
  • https://finanzportal.fiducia.de/ebbg2/portal?token=*
  • https://hbnet*.cedacri.it/*CreateDocument&Login=1
  • https://home.cbonline.co.uk/login.html*
  • https://home.ybonline.co.uk/login.html*
  • https://home2ae.cd.citibank.ae/CappWebAppAE/producttwo/capp/action/signoncq.do
  • https://ibank.barclays.co.uk/olb/*/LoginMember.do
  • https://ibank.internationalbanking.barclays.com/logon/icebapplication*
  • https://ibanking.stgeorge.com.au/InternetBanking/accountTransfer.do?method=processDefaultThirdPartyTransfer*
  • https://ibanking.stgeorge.com.au/InternetBanking/viewAccountPortfolio.do*
  • https://ibanking.warwickcreditunion.com.au/*
  • https://ibbweb.tecmarket.it/tmibbwebsecurity/*/otherauth/defaultPP.aspx
  • https://intelvia.cajamurcia.es/*/entrada/01entradaencrip.htm
  • https://internetbanking.aib.ie/hb1/roi/presign.jsp
  • https://internetbanking.aib.ie/hb1/roi/signon
  • https://internetbanking.gad.de/banking/*
  • https://oi.cajamadrid.es/CajaMadrid/oi/pt_oi/Login/login
  • https://oie.cajamadridempresas.es/CajaMadrid/oie/pt_oie/Login/login_oie_1
  • https://online-business.lloydstsb.co.uk/*
  • https://online-business.lloydstsb.co.uk/customer.ibc
  • https://online-business.lloydstsb.co.uk/logon.ibc
  • https://online-business.lloydstsb.co.uk/miheld.ibc
  • https://online-offshore.lloydstsb.com/customer.ibc
  • https://online-offshore.lloydstsb.com/logon.ibc
  • https://online.ebs.ie/internet/login/index.jsp
  • https://online.lloydstsb.co.uk/customer.ibc
  • https://online.lloydstsb.co.uk/logon.ibc
  • https://online.wamu.com/*
  • https://online.wamu.com/Servicing/Servicing.aspx?targetPage=AccountSummary
  • https://online.wellsfargo.com/das/cgi-bin/session.cgi*
  • https://online.wellsfargo.com/login*
  • https://online.wellsfargo.com/signon*
  • https://online.westpac.com.au/esis/Login/SrvPage
  • https://online.westpac.com.au/wtib/asp/accinfo/bsd_aiacclist.asp?FunctionID=0*
  • https://online.westpac.com.au/wtib/asp/accinfo/bsd_aitranslist.asp*
  • https://online.westpac.com.au/wtib/asp/bpay/bsd_bpgetdetails.asp?FunctionID=8*
  • https://online.westpac.com.au/wtib/asp/ftrans/bsd_ftgetdetails.asp?FunctionID=7*
  • https://online.westpac.com.au/wtib/asp/payment/plus*/bpd_py*details.asp?Key=*
  • https://online.westpac.com.au/wtib/asp/payment/plus*/bpd_pyconfirm.asp*
  • https://online.westpac.com.au/wtib/asp/payment/plus*/bpd_pygetdetails.asp?FunctionID=10*
  • https://online.westpac.com.au/wtib/asp/payment/upload/bpd_upreceipt.asp?KeyStr*
  • https://online.westpac.com.au/wtwt/dashboard*
  • https://online.westpac.com.au/wtwt/startpage*
  • https://onlinebanking#.wachovia.com/myAccounts.aspx?referrer=authService
  • https://onlinebanking*.wachovia.com/*
  • https://onlinebanking.nationalcity.com/OLB/secure/AccountList.aspx
  • https://onlinebanking.norisbank.de/norisbank/*.do?method=*
  • https://onlinebanking.norisbank.de/norisbank/login.do?method=login*
  • https://particuliers.secure.lcl.fr*
  • https://particuliers.secure.lcl.fr/everest/UWBI/UWBIAccueil?DEST=ADITION_IDENTIFICATION
  • https://particuliers.secure.lcl.fr/everest/UWBI/UWBIAccueil?DEST=IDENTIFICATION
  • https://particuliers.societegenerale.fr/index.html
  • https://resources.chase.com/*
  • https://resources.chase.com/MyAccounts.aspx
  • https://secure.ingdirect.co.uk/INGDirect.html?command=displayValidateCustomer*
  • https://secure.ingdirect.it/secure/*
  • https://web.da-us.citibank.com/*BS_Id=MemberHomepage*
  • https://web.da-us.citibank.com/cgi-bin/citifi/portal/l/autherror.do*
  • https://web.da-us.citibank.com/cgi-bin/citifi/portal/l/l.do
  • https://webbanker.cua.com.au/webbanker/CUA?xid*
  • https://www#.citizensbankonline.com/*/index-wait.jsp
  • https://www#.usbank.com/internetBanking/LoginRouter
  • https://www*.banking.first-direct.com/1/2/*
  • https://www*.citizensbankonline.com/*/index-wait.jsp
  • https://www*.hsbc.co.uk/1/2/*cmd_ExistingTransfereesCommand*
  • https://www*.hsbc.co.uk/1/2/*cmd_InitialThirdPartyPaymentCommand*
  • https://www*.hsbc.co.uk/1/2/*cmd_NewThirdPartyPaymentCommand*
  • https://www*.hsbc.co.uk/1/2/*cmd_OnMakePaymtToThirdPartyCommand*
  • https://www*.hsbc.co.uk/1/2/*cmd_OnMakeTransferCommand*
  • https://www*.hsbc.co.uk/1/2/*cmd_OnMakeTransferConfirmCommand*
  • https://www*.hsbc.co.uk/1/2/*cmd_OnMakeTransferVerifyCommand*
  • https://www*.hsbc.co.uk/1/2/*
  • https://www*.hsbc.co.uk/1/2/personal/internet-banking/payments;jsessionid=*
  • https://www*.hsbc.co.uk/1/2/personal/internet-banking/recent-transaction;jsessionid=*
  • https://www*.hsbc.co.uk/1/2/personal/internet-banking/transfer*
  • https://www*.hsbc.co.uk/1/2/personal/internet-banking;jsessionid=*
  • https://www.365online.co.uk/servlet/Dispatcher/login.htm
  • https://www.53.com/servlet/*
  • https://www.53.com/servlet/efsonline/index.html*
  • https://www.axabanque.fr/client/sAuthentification
  • https://www.bancajaproximaempresas.com/ControlEmpresas*
  • https://www.banque-accord.fr/bafrclient/s/ba/login/login.html
  • https://www.caixagirona.es/cgi-bin/INclient_2030*
  • https://www.caixatarragona.es/esp/sec_1/oficinacodigo.jsp
  • https://www.cajacanarias.es/cgi-bin/INclient_6065
  • https://www.cajadeavila.es/cgi-bin/INclient_6094
  • https://www.cajalaboral.com/home/acceso.asp
  • https://www.cajasoldirecto.es/2106/*
  • https://www.cajavital.es/Appserver/vitalnet*
  • https://www.clavenet.net/cgi-bin/INclient_7054
  • https://www.dab-bank.de/meinedabbank/login.app.html
  • https://www.dresdner-privat.de/servlet/*
  • https://www.fibancmediolanum.es/BasePage.aspx*
  • https://www.gruposantander.es/bog/sbi*?ptns=acceso*
  • https://www.halifax-online.co.uk/*
  • https://www.halifax-online.co.uk/_mem_bin/*
  • https://www.hsbc.co.uk/1/2/!ut/p/*
  • https://www.hsbc.co.uk/1/2/*
  • https://www.ibps.occitane.banquepopulaire.fr*
  • https://www.ingdirect.es/WebTransactional/Transactional/clientes/access/Cappin.asp
  • https://www.ipko.pl/ikd
  • https://www.mybank.alliance-leicester.co.uk/login/*
  • https://www.mybank.alliance-leicester.co.uk/view_accounts/VA1.asp
  • https://www.mybusinessbank.co.uk/cs70_banking/logon/slogon
  • https://www.netspend.com/
  • https://www.netspend.com/account/authenticate*
  • https://www.nwolb.com/login.aspx*
  • https://www.onlinebanking.iombank.com/*
  • https://www.paypal.com/*/webscr?cmd=_account
  • https://www.paypal.com/*/webscr?cmd=_login-done*
  • https://www.qccu.com.au*
  • https://www.rbsdigital.com/login.aspx*
  • https://www.secure.bnpparibas.net/banque/portail/particulier/HomeConnexion?type*
  • https://www.suntrust.com/portal/server.pt*parentname=Login*
  • https://www.unicaja.es/PortalServlet*
  • https://www.uno-e.com/local_bdnt_unoe/Login_unoe2.html
  • https://www.us.hsbc.com/*
  • https://www.vr-networld-ebanking.de/ebanking*Action=*
  • https://www.wellsfargo.com/*
  • https://www2.bancopopular.es/AppBPE/servlet/servin*

Once users access any of the monitored sites, this malware starts logging keystrokes.

Attacked Entities

This spyware attempts to retrieve information from the following list of institutions:

  • AIB
  • Alliance & Leicester
  • Allied Direct
  • ANZ
  • Axa Banque
  • Bancaja
  • Banco Popular
  • Banesto
  • Banif
  • Bank of America
  • Banque Accord
  • Banque Populaire
  • Barclays
  • BNP Paribas
  • Caixa Girona
  • Caixa Tarragona
  • Caja Canarias
  • Caja de Avila
  • Caja Laboral
  • Caja Madrid
  • Caja Murcia
  • Caja Vital
  • Cajarioja
  • Cajasol
  • Cedacri
  • Chase
  • Citibank
  • Citizens
  • Clavenet
  • Clydesdale
  • Co-Operativebank
  • Comdirect
  • Credem
  • DAB
  • Digital Federal Credit Union
  • Dresdner
  • Dubai Islamic Internet Banking
  • Ebay
  • Fibanc Mediolanum
  • Fiducia
  • Fifth Third
  • First Direct
  • GAD
  • Halifax
  • HSBC
  • IBB - WEB
  • ING Direct
  • IS Bank
  • Le Cr�dit Lyonnais Particuliers
  • Lloyds
  • McAfee
  • Microsoft
  • Myspace
  • National City
  • Nationwide
  • Natwest
  • Neteller
  • Openbank
  • PayPal
  • Raiffeisen
  • RBS
  • Santander
  • Smile
  • Soci�t� G�n�rale
  • Suntrust
  • TD Canada Trust
  • UBL
  • Unicaja
  • Uno-E
  • US Bank
  • Volksbanken Raiffeisenbanken
  • Wachovia
  • Washington Mutual
  • Wells Fargo
  • Westpac
  • Yorkshire

Stolen Information

This spyware attempts to steal sensitive online banking information, such as usernames and passwords. This routine risks the exposure of the user's account information, which may then lead to the unauthorized use of the stolen data.

Drop Points

The stolen information is saved in the file %System%\twain_32\user.ds. The said file is then sent to the server http://{BLOCKED}9.cn/spartak/web/s.php and http://www.bestplace.in/lib/gate.php via HTTP POST.

Download Routine

This spyware accesses the following site to download its configuration file:

  • http://{BLOCKED}9.cn/spartak/out/cfg.bin
  • http://www.bestplace.in/images/new.jpg

Backdoor Channel

During testing, this spyware did not exhibit backdoor routines.

Other Details

This spyware creates the following mutex to ensure that only one instance of itself is running in memory:

  • __SYSTEM__64AD0625__
  • __SYSTEM__64AD0625__

Variant Information

This spyware has the following SHA1 hashes:

  • 17cf066ff850ec91ba350a3f58b5894e3d3e3a2e
  • 003f7b8dcc48d94c4544b98400a2d2a13e143ecb

It has the following MD5 hashes:

  • 874cc49776a9e4acd6bdf5d1f51e05ed
  • 30ccab5d63ead0b9721bb5dc153acc80

Affected Platforms

This spyware runs on Windows NT, 2000, XP, and Server 2003.


Analysis by:  Jasper Manuel



SOLUTION


Minimum scan engine version needed: 8.700

Download the latest scan engine

Virus pattern version needed : 5.969.00

Pattern release date:  Apr 15, 2009


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Identifying the Spyware Files

  1. Scan your computer with your Trend Micro antivirus product.
  2. Note the path and file name of all files detected as TSPY_ZBOT.AXW.

Trend Micro customers need to download the latest virus pattern file before scanning their computer. Other users can use Housecall, the Trend Micro online threat scanner.

Important Windows XP Cleaning Instructions

Users running Windows XP must disable System Restore to allow full scanning of infected computers.

Users running other Windows versions can proceed with the succeeding solution set(s).

Deleting Spyware Files using Recovery Console

This procedure allows the computer to restart by using the Windows installation CD.

  1. Insert your Windows Installation CD in your CD-rom.
  2. Press the restart button of your computer.
  3. When prompted, press any key to boot from the CD.
  4. When prompted on the Main Menu, type r to enter the recovery console.
    (Note: On Windows 2000, after pressing r, type c to choose the Recovery Console in the repair options screen.)
  5. When prompted, type your administrator password to log on.
  6. Once logged in, type the drive that contains Windows in the command prompt that appears, then press Enter.
  7. Type the drive that contains Windows, then press Enter.
  8. Type the following, then press Enter:
    del {Spyware path and file name}
  9. Repeat the above procedure for all files detected earlier.
  10. Type exit to restart the system.

Removing Autostart Entry from the Registry

This solution deletes/modifies registry keys/entries added/modified by this spyware. Before performing the steps below, make sure you know how to back up the registry and how to restore it if a problem occurs. Refer to this Microsoft article for more information about modifying your computer's registry.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>Windows NT>
    CurrentVersion>Winlogon
  3. In the right panel, locate the entry:
    Userinit = "%System\Userinit.exe,%System%\twext.exe,"
    (Note: %System% is the Windows system folder, which is usually C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
  4. Right-click on the value name and choose Modify. Change the value data of this entry to:
    %System%\userinit.exe,

Removing Other Spyware Entries from the Registry

  1. Still in Registry Editor, in the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>
    CurrentVersion>Network
  2. In the right panel, locate and delete the entry:
    UID = "(Computer name}_{Random numbers}"
  3. In the left panel, double-click the following:
    HKEY_USERS>.DEFAULT>Software>Microsoft
  4. Still in the left panel, locate and delete the key:
    Protected Storage System Provider
  5. In the left panel, double-click the following:
    HKEY_USERS>.DEFAULT>Software>Microsoft>Windows> CurrentVersion>Explorer
  6. Still in the left panel, locate and delete the following keys:
    • {00000000-DCFF-DD00-F399-837C709A807C}
    • {0060FD7F-DCFF-DD00-F399-837C709A807C}
    • {9C030000-DCFF-DD00-F399-837C709A807C}
    • {A4030000-DCFF-DD00-F399-837C709A807C}
    7. Close Registry Editor.
  7. Close Registry Editor.

Deleting the Spyware Folder

  1. Right-click Start then click Search... or Find..., depending on the version of Windows you are running.
  2. In the Named input box, type:
    %System%\twain_32
  3. In the Look In drop-down list, select My Computer, then press Enter.
  4. Once located, select the folder then press SHIFT%20DELETE.

Running Trend Micro Antivirus

If you are currently running in safe mode, please restart your computer normally before performing the following solution.

Scan your computer with Trend Micro antivirus and delete files detected as TSPY_ZBOT.AXW. To do this, Trend Micro customers must download the latest virus pattern file and scan their computers. Other Internet users can use HouseCall, the Trend Micro online threat scanner.