Analysis by: jasperm
ALIASES:

Kaspersky: Trojan-Spy.Win32.Zbot.autj ; Symantec: Trojan.Zbot ; Sophos: Mal/FakeAV-BW

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: File infector

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

Infection Channel: Infects files

This malware is a new LICAT variant that uses a different key for its domain generation algorithm.

To get a one-glance comprehensive view of the behavior of this File infector, refer to the Threat Diagram shown below.

It infects file associated with running processes. Infected files are detected as PE_LICAT.B.

This file infector may be dropped by other malware. It may be unknowingly downloaded by a user while visiting malicious websites.

It may be injected into processes running in memory.

It infects by inserting its code to unused space in host files.

It opens a random port to allow a remote user to connect to the affected system. Once a successful connection is established, the remote user executes commands on the affected system.

It modifies the Internet Explorer Zone Settings.

It attempts to steal sensitive online banking information, such as user names and passwords. This routine risks the exposure of the user's account information, which may then lead to the unauthorized use of the stolen data. It attempts to steal information, such as user names and passwords, used when logging into certain banking or finance-related websites.

  TECHNICAL DETAILS

Ports: Random TCP ports
File Size: 166,400 bytes
File Type: PE
Memory Resident: Yes
Initial Samples Received Date: 02 Nov 2010
Payload: Downloads files, Steals information

Arrival Details

This file infector may be dropped by other malware.

It may be unknowingly downloaded by a user while visiting malicious websites.

Installation

This file infector drops the following files:

  • %Application Data%\{random1}\{random}.exe - copy of itself
  • %Application Data%\{random2}\{random}.{3 random alpha character extension name} - encrypted data

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.)

It creates the following folders:

  • %Application Data%\{random1}
  • %Application Data%\{random2}

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.)

It is injected into the following processes running in memory:

  • ctfmon.exe
  • dwm.exe
  • explorer.exe
  • rdpclip.exe
  • taskeng.exe
  • taskhost.exe
  • wscntfy.exe

It may be injected into processes running in memory.

Autostart Technique

This file infector adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{GUID} = %Application Data%\{random}\{random name}.EXE

Other System Modifications

This file infector adds the following registry keys as part of its installation routine:

HKEY_CURRENT_USER\Software\Microsoft\
{random}

It creates the following registry entry(ies) to bypass Windows Firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%WINDOWS%\EXPLORER.EXE = %WINDOWS%\EXPLORER.EXE:*:Enabled:Windows Explorer

File Infection

This file infector infects the following file types:

  • EXE

It infects by inserting its code to unused space in host files.

Backdoor Routine

This file infector opens a random port to allow a remote user to connect to the affected system. Once a successful connection is established, the remote user executes commands on the affected system.

Web Browser Home Page and Search Page Modification

This file infector modifies the Internet Explorer Zone Settings.

Information Theft

This file infector monitors the Internet Explorer (IE) activities of the affected system, specifically the address bar or title bar. It recreates a legitimate website with a spoofed login page if a user visits banking sites with the following strings in the address bar or title bar:

  • https://*.ebanking-services.com/*/signin.aspx
  • https://express.53.com/express/logon.jsp
  • ttps://wellsoffice.wellsfargo.com/ceoportal/signon/index.jsp
  • https://www.accountcentralonline.com
  • https://secure.americanexpress.com
  • https://www.bankofamerica.com
  • https://chaseonline.chase.com
  • https://www.accountonline.com
  • https://www.cajalaboral.com
  • https://customer.eu.clickandbuy.com
  • https://www.discovercard.com/cardmembersvcs/personalprofile/pp/GetInitialInfo
  • https://www.ezcardinfo.com
  • https://signin.fiabusinesscard.com
  • https://www.accountcentralonline.com
  • https://www.ibsnetaccess.com
  • https://www.macys.com
  • ttps://www.moneybookers.com
  • https://www.myaccountaccess.com
  • https://www.partnercardservices.com
  • https://www.paypal.com
  • ttps://www.pnccardservicesonline.com
  • https://client.schwab.com
  • https://www.suntrust.com
  • https://content.usaa.com
  • cey-ebanking.com
  • treasury.pncbank.com/portal/esec/login.ht
  • https://www.us.hsbc.com/1/2/
  • https://bnycash.bankofny.com/
  • ebanking-services.com
  • https://www.usaa.com/inet
  • https://www.saferpay.com/vt/pay.asp
  • https://express.53.com/express/logon
  • https://www.business.hsbc.co.uk/1/2/
  • https://www.paypal.com/gates/google
  • https://direct.53.com/logon53Direct.jsp
  • https://www.gotomycard.com/accounts.asp
  • https://www.saferpay.com/gates/google
  • https://ibank.barclays.co.uk/olb/u/Login
  • https://www.moneybookers.com/app/profile.pl
  • Zhttps://www.myaccountaccess.com/onlineCard/
  • https://www.ezcardinfo.com/AcctSummary.aspx
  • https://www.moneybookers.com/gates/google
  • https://chsec.wellsfargo.com/login/login.fcc
  • https://securentrycorp.amegybank.com
  • https://ssl.selectpayment.com/
  • https://chaseonline.chase.com/MyAccounts.aspx
  • https://www.paypal.com/C /cgi-bin/webscr
  • https://sitekey.bankofamerica.com/sas/maint.do
  • https://online.citibank.com/US/</portal/Home.do
  • https://www.hsbccreditcard.com/ecare/viewaccount
  • https://www.suntrust.com/portal/server.pt?mode=2
  • https://www.mycardstatement.com/AcctSummary.aspx
  • https://customer.eu.clickandbuy.com/gates/google
  • https://onlinebankingC.wachovia.com/myAccounts.aspx
  • https://www.accountcentralonline.com/cmuser/myacct/
  • https://www.discovercard.com/cardmembersvcs/achome/
  • https://online.wellsfargo.com/das/cgi-bin/session.cgi
  • https://www.nordstromcard.com/fdr_nr.service?TRANTYPE
  • https://www.statementlook.com/fdr_ge.service?TRANTYPE
  • https://wwwC.usbank.com/internetBanking/RequestRouter
  • https://www.partnercardservices.com/ecare/viewaccount
  • https://client.schwab.com/accounts/summary/summary.aspx
  • https://www.paypal.com/C /cgi-bin/webscr?cmd=_login-done
  • https://www.hsbccreditcard.com/ecare/control/generic.js
  • https://singlepoint.usbank.com/cs70_banking/logon/sbuser
  • https://www.paypal.com/de/cgi-bin/webscr?cmd=_login-done
  • https://www.fiabusinesscard.com/cgi-bin/ias/
  • https://www.linksimprese.sanpaoloimi.com/pmiweb/LoginServlet
  • https://www.partnercardservices.com/ecare/control/generic.js
  • https://wellsoffice.wellsfargo.com/ceoportal/signon/index.jsp
  • https://www.barclaycardus.com/app/ccsite/action/switchAccount
  • https://businessaccess.citibank.citigroup.com/cbusol/signon.do
  • https://banking.commercebank.com/CBI/Accounts/CBI/Summary.aspxU
  • https://onlineeastC.bankofamerica.com/cgi-bin/ias/
  • https://www.pnccardservicesonline.com/pages/AccountSummary.aspx
  • https://authmaster.nationalcity.com/tmgmt/
  • https://treas-mgt.frostbank.com/rdp/cgi-bin/
  • https://sitekey.bankofamerica.com/sas/sas-docs/js/commonscript.js
  • https://cm.netteller.com/login2008/Authentication/Views/Login.aspx
  • https://www.myaccountaccess.com/onlineCard/postLogin.do?phase=start
  • https://access.jpmorgan.com/appmanager/jpmalogonportal/jpmalogonhome
  • ttps://businessonline.tdbank.com/corporatebankingweb/core/login.aspx
  • https://www.comerica.com/
  • https://wwwB.comerica.com/
  • https://businessonline.huntington.com/BOLHome/BusinessOnlineLogin.aspx
  • https://www.ibsnetaccess.com/NASApp/NetAccess/RegisteredAccountsDisplay
  • https://businessaccess.citibank.citigroup.com/cbusol/sign
  • https://www.discovercard.com/cardmembersvcs/personalprofile/pp/GetInitialInfo
  • https://customer.eu.clickandbuy.com/surfer/spring/accounthome-flow
  • https://www.ibsnetaccess.com/NASApp/NetAccess/updateQandA.action?target=updtQA
  • https://www.paypal.com/C /cgi-bin/webscr?cmd=_profile-credit-card-new-clickthru
  • https://onlineeastC.bankofamerica.com/cgi-bin/ias/
  • https://online.americanexpress.com/myca/acctsumm/us/action?request_type=authreg_acctAccountSummary
  • https://www.hsbccreditcard.com/ecare/customerservice/updatepersonalinfo?&locale=en_US&brand=HB_090_750
  • https://www.partnercardservices.com/ecare/customerservice/updatepersonalinfo?&locale=en_US&brand=RZ_500_501

It attempts to steal sensitive online banking information, such as user names and passwords. This routine risks the exposure of the user's account information, which may then lead to the unauthorized use of the stolen data.

It accesses the following site to download its configuration file:

  • http://{BLOCKED}pzrjrge.org/news/?s={random number}

It attempts to steal information from the following banks and/or other financial institutions:

  • Fifth Third Direct
  • Wellsfargo
  • HSBC
  • American Express
  • Bank of America
  • Chase
  • Citi
  • Caja Laboral
  • ClickandBuy
  • Discover Card
  • eZCardInfo
  • Card Information Online
  • FIA Card Services
  • Macy's
  • Moneybookers
  • Online Account Access
  • Partner Card Services
  • Paypal
  • PNC Card Services
  • Charles Schwab
  • Suntrust
  • USAA
  • Mountain National Bank
  • PNC Bank
  • Business Internet Banking
  • Saferpay
  • GoToMyCard
  • Barclays
  • Amegy Bank
  • Profit Stars
  • Wachovia
  • Nordstrom Credit Services
  • Statementlook
  • US Bank
  • Commerce Bank
  • Frost Bank
  • National City
  • Net Teller
  • JP Morgan
  • TD Bank
  • Comerica
  • Huntington National Bank

Stolen Information

This file infector sends the gathered information via HTTP POST to the following URL:

  • http://{BLOCKED}pzrjrge.org

Other Details

This file infector does the following:

  • It infects files associated with running processes.
  • Infected files are detected as PE_LICAT.B.

  SOLUTION

Minimum Scan Engine: 8.900
VSAPI OPR PATTERN File: 7.671.00
VSAPI OPR PATTERN Date: 03 Dec 2010

Step 1

For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2

Remove malware files dropped/downloaded by PE_LICAT.B-O

Step 3

Restart in Safe Mode

[ Learn More ]

Step 4

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

 
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    • {GUID}=%Application Data%\{random}\{random name}.EXE
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    • %WINDOWS%\EXPLORER.EXE=%WINDOWS%\EXPLORER.EXE:*:Enabled:Windows Explorer

Step 5

Delete this registry key

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry. Before you could do this, you must restart in Safe Mode. For instructions on how to do this, you may refer to this page If the preceding step requires you to restart in safe mode, you may proceed to edit the system registry.

  • In HKEY_CURRENT_USER\Software\Microsoft
    • {random}

Step 6

Reset Internet security settings

[ Learn More ]

Step 7

Search and delete this folder

[ Learn More ]
Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden folders in the search result.
  • %Application Data%\{random1}
  • %Application Data%\{random2}

Step 8

Restart in normal mode and scan your computer with your Trend Micro product for files detected as PE_LICAT.B-O. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.

Related Malware