TSPY_ZBOT.SMWAI

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It does not have any propagation routine.

It does not have any backdoor routine.

It modifies the Internet Explorer Zone Settings.

As of this writing, the said sites are inaccessible.

It steals certain information from the system and/or the user.

It deletes the initially executed copy of itself.

Arrival Details

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This spyware drops the following copies of itself into the affected system and executes them:

• %Application Data%\{random folder 1}\{random filename 1}.exe ← detected also as TSPY_ZBOT.SMWAI

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It drops the following files:

• %Application Data%\{random folder 2}\{random file name 2}.{random extension}
• %Application Data%\{random folder 2}\{random file name 2}.tmp

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It creates the following folders:

• %Application Data%\{random folder 1}
• %Application Data%\{random folder 2}

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• Local\{GUID}
• Global\{GUID}

It injects codes into the following process(es):

• explorer.exe

Autostart Technique

This spyware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{GUID} = "%Application Data%\{random folder 1}\{random filename 1}.exe "

Other System Modifications

This spyware adds the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\
{random key}

It adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
{random key}
{random} = "{random values}"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%Windows%\explorer.exe = "%Windows%\explorer.exe:*:Enabled:Windows Explorer"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%System%\explorer.exe = "%System%\explorer.exe:*:Enabled:Windows Explorer"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
WarnonBadCertRecving = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
EnableSPDY3_0 = "0"

Propagation

This spyware does not have any propagation routine.

Backdoor Routine

This spyware does not have any backdoor routine.

Web Browser Home Page and Search Page Modification

This spyware modifies the Internet Explorer Zone Settings.

Download Routine

This spyware downloads an updated copy of itself from the following website(s):

• http://{BLOCKED}n.pw/ala.exe

It connects to the following URL(s) to download its configuration file:

• http://{BLOCKED}a.su/anla.jpg
• http://{BLOCKED}i.su/anla.jpg

As of this writing, the said sites are inaccessible.

Information Theft

This spyware steals the following information:

• Data on cookie files (URLs)
• Email-related information such as account names, email addresses, passwords, server data, and server port
• Email information stored in the user's Windows Address Book (WAB) file
• Online banking credentials
• Personal digital certificate

Stolen Information

This spyware sends the gathered information via HTTP POST to the following URL:

• http://{BLOCKED}a.su/news.php

Other Details

This spyware deletes the initially executed copy of itself

The configuration file may contain URLs that it access to download an updated copy of itself and to send its gathered information.

NOTES:

It does not have rootkit capabilities.

does not exploit any vulnerability.

It performs a man-in-the-browser attack, in which codes are injected into the browser in order to access the following domain upon visiting any of the targeted bank-related sites:

• https://{BLOCKED}i.su/