TSPY_ZBOT.KAR

Download the latest scan engine

TypeSpyware

In the wild: No

Destructive: No

Language: English

Systems affected: Windows NT, 2000, XP, Server 2003

Encrypted: No

Overall risk rating:

Low

Reported detections:

Low

System  impact:

High

Information exposure:

High
 

Description:

This spyware arrives as a file downloaded from a remote URL.

It drops a copy of itself in the Windows system folder and appends garbage code to the dropped copy to avoid easy detection. It creates a folder with attributes set to System and Hidden to prevent users from discovering and removing its components. It then creates non-malicious files. It modifies a registry entry to enable its automatic execution at system startup. It also injects itself into processes as part of its memory residency routine.

It attempts to access a Web site to download a file which contains information where the Trojan can download an updated copy of itself, and where to send its stolen data. This configuration file also contains a list of targeted bank-related Web sites from which it steals information. Note that the contents of the file, hence the list of Web sites to monitor, may change any time.

It attempts to steal sensitive online banking information, such as user names and passwords. This routine risks the exposure of the users account information, which may then lead to the unauthorized use of the stolen data.

It saves the stolen information in a file. It sends the gathered information via HTTP POST to a remote URL.

It accesses a remote site to download its configuration file. The downloaded file contains information where it can download an updated copy of itself, and where to send its stolen data.



TECHNICAL DETAILS



Initial samples received on:  Jan 21, 2010

File type: PE

Memory resident: Yes  

File size: 208,898 Bytes

Payload 1Steals information

Payload 2Others

Payload Detail 2: Disables Windows Firewall

Details:

Infection Points

This spyware arrives as a file downloaded from the following URL:

  • http://www.{BLOCKED}aslitograficas.com/img/mujeres.jpg

Installation and Autostart Technique

This spyware drops a copy of itself in the Windows system folder and appends garbage code to the dropped copy to avoid easy detection. The dropped copy uses the following file name:

  • sdra64.exe

It creates the following folder with attributes set to System and Hidden to prevent users from discovering and removing its components:

  • %System%\lowsec

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It then creates the following non-malicious files:

  • %System%\lowsec\local.ds - copy of the encrypted downloaded file
  • %System%\lowsec\user.ds - used to save the gathered information

It modifies the following registry entry to enable its automatic execution at system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Userinit = "%System%\userinit.exe, %System%\sdra64.exe,"

(Note: The default value data for the said registry entry is %System%\userinit.exe,.)

It also creates the following registry entry as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Network
UID = "{Computer name}_{Random numbers}"

It also creates the following registry entry to disable Windows Firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\SharedAccess\Parameters\ FirewallPolicy\StandardProfile
EnableFirewall = "0"

It injects itself into the following processes as part of its memory residency routine:

  • SVCHOST.EXE
  • WINLOGON.EXE

Information Theft Routine

This spyware attempts to access a Web site to download a file which contains information where the spyware can download an updated copy of itself, and where to send its stolen data. This configuration file also contains the following list of targeted bank-related Web sites from which it steals information:

  • !*.microsoft.com/*
  • !http://*myspace.com*
  • !http://*odnoklassniki.ru/* @https://olbe.todo1.com/SVE/control/
    RSACollect.confirmQuestions* @https://olbe.todo1.com/SVE/
    control/RSACollect.verifyQuestions*
  • *empresas.davivienda.com*
  • *olbe.todo1.com/SVE/control/BoleTransactional.bancolombia*
  • *olbe.todo1.com/SVE/control/boletransactional.bancolombia.com/
    BoleTransactional.bancolombia
  • @https://olbe.todo1.com/SVE/control/RSACollect.chooseQuestions* O    <
  • http*://*bbvanet.com.co/bbvaemp/colombiaemp/OperacionCBTFServlet*
  • http*://*santander.com.co/
  • http*://*santander.com.co/portal/secciones/BSCH/HOME/EMPRESAS/
    seccion_HTML.jsp
  • http*://*santander.com.co/portal/secciones/BSCH/HOME/PERSONAS*
    seccion_HTML.jsp
  • https://bancolombia.olb.todo1.com/olb/Login
  • https://bancolombia.olb.todo1.com/olb/SecondKey*
  • https://banking.*.de/cgi/ueberweisung.cgi/* *&tid=* *&betrag=* I    9 ;
  • https://internetbanking.gad.de/banking/* * * KktNrTanEnz P   A
  • https://linea.davivienda.com/ConsultasServlet
  • https://linea.davivienda.com/LoginServlet
  • https://olbe.todo1.com/*
  • https://olbe.todo1.com/SVE/control/BoleTransactional.bancolombia
  • https://olbe.todo1.com/SVE/control/boletransactional.bancolombia.com/
    BoleTransactional.bancolombia
  • https://olbe.todo1.com/SVE/control/BoleTransactional.start?*AccountsOverview
  • https://olbe.todo1.com/SVE/control/RSACollect.chooseQuestions
  • https://olbe.todo1.com/SVE/control/RSACollect.confirmQuestions
  • https://olbe.todo1.com/SVE/control/RSACollect.enrollmentConfirmed
  • https://olbe.todo1.com/SVE/control/RSACollect.readEula
  • https://olbe.todo1.com/SVE/control/RSACollect.verifyQuestions
  • https://www.bancaempresarial.colpatria.com/sEmpresarial/principal/
    entrada_opcion.asp
  • https://www.bancaempresarial.colpatria.com/sEmpresarial/saldos/
    ResumenCuentas.asp?Producto=001
  • https://www.bancaempresarial.colpatria.com/sEmpresarial/saldos/
    ResumenCuentas.asp?Producto=002
  • https://www.bbvanet.com.co/principal2.html*
  • https://www.citibank.de/*/jba/mp#/SubmitRecap.do
  • https://www.gruposantander.es/*

Note that the contents of the file, hence the list of Web sites to monitor, may change any time. Once users access any of the monitored sites, this malware starts logging keystrokes.

Attacked Entities

This spyware attempts to retrieve information from the following list of banks/financial institutions:

  • Citibank
  • GAD
  • Microsoft
  • Myspace
  • Odnoklassniki
  • Santander

Stolen Information

This spyware attempts to steal sensitive online banking information, such as user names and passwords. This routine risks the exposure of the user�s account information, which may then lead to the unauthorized use of the stolen data.

Drop Points

This spyware saves the stolen information in the following file:

  • %System%\lowsec\user.ds

It sends the gathered information via HTTP POST to the following URL:

  • http://www.{BLOCKED}omusicnow.cn/drum/dance.php

Download Routine

This spyware accesses the following site to download its configuration file:

  • http://www.{BLOCKED}omusicnow.cn/drum/trance.jpg

The downloaded file contains information where the malware can download an updated copy of itself, and where to send its stolen data.

Backdoor Channel

This spyware did not exhibit backdoor routines during testing.

Other Details

This spyware creates the following mutex to ensure that only one instance of itself is running in memory:

  • _AVIRA_2109

It also checks for the presence of the following processes which are related to Outpost Personal Firewall and ZoneLabs Firewall Client:

  • outpost.exe
  • zlclient.exe

It terminates if either of the said processes exist. This is to ensure that it runs uninterrupted. It also has rootkit capabilities, which enables it to hide its processes and files from the user.

Variant Information

This spyware has the following SHA1 hash:

  • ffdd55a7c8bdd93c46c574baf1eedc5dadd470bc

This spyware has the following MD5 hash:

  • eab76d9970ade9e86555d0df882e232b

Affected Platforms

This spyware runs on Windows NT, 2000, XP, and Server 2003.


Analysis by:  Jasper Manuel



SOLUTION


Minimum scan engine version needed: 8.900

Download the latest scan engine


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

For Windows ME and XP users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 1: Identify and delete files detected as TSPY_ZBOT.KAR using Recovery Console [learn how]

Step 2: Restore this modified registry value [learn how]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
    Windows NT\CurrentVersion\Winlogon
    • From: Userinit = "%System%\userinit.exe, %System%\sdra64.exe,"
      To: Userinit = "%System%\userinit.exe,"

Step 3: Delete these registry values [learn how]

  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
    Windows NT\CurrentVersion\Network
    • UID = "{Computer name}_{Random numbers}"
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
    Services\SharedAccess\Parameters\FirewallPolicy\
    StandardProfile
    • EnableFirewall = "0"

Step 4: Search and delete this folder [learn how]

*Note: Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden folders in the search result.

  • %System%\lowsec

Step 5: Scan your computer with your Trend Micro product to delete files detected as TSPY_ZBOT.KAR

*Note: If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.