PLATFORM:

Windows 2000, XP, Server 2003

 OVERALL RISK RATING:
 REPORTED INFECTION:
 SYSTEM IMPACT RATING:
 INFORMATION EXPOSURE:

  • Threat Type: Spyware

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW



It modifies registry entries to enable its automatic execution at every system startup.
It attempts to steal information, such as user names and passwords, used when logging into certain banking or finance-related websites.
Once users access any of the monitored sites, it starts logging keystrokes.
It checks for the presence of the following processes which are related to Outpost Personal Firewall and ZoneLabs Firewall Client:

  • outpost.exe
  • zlclient.exe

It terminates if either of the said processes exist. This is to ensure that it runs uninterrupted. It also has rootkit capabilities, which enables it to hide its processes and files from the user.
It modifies registry entries to disable the Windows Firewall settings. This action allows this malware to perform its routines without being deteted by the Windows Firewall.

  TECHNICAL DETAILS

Initial Samples Received Date: 01 Jan 0001



Arrival Details


It creates the following folders with attributes set to System and Hidden to prevent users from discovering and removing its components:

  • %System%lowsec



Autostart Technique


It modifies the following registry entries to ensure it automatic execution at every system startup:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon
Userinit=%System%userinit.exe, %System%sdra64.exe,

             (Note: The default value data of the said registry entry is %System%userinit.exe,.)



Download Routine


It connects to the following URL(s) to download its configuration file:

  • http://{BLOCKED}nahui.cn/config.bin



Infection Points


It may be downloaded from the following remote sites:

  • http://{BLOCKED}nahui.cn/bot.exe



Information Theft


It attempts to steal information from the following banks and/or other financial institutions:

  • AIB

  • ANZ

  • Alliance & Leicester

  • BBVA

  • BG Net Plus

  • Banca Intesa

  • Bancaja

  • Banco Herrero

  • Banco Pastor

  • Banco Popular

  • Banesto

  • Banif

  • Bank of America

  • Banque Populaire

  • Barclays

  • CCM

  • Caixa Girona

  • Caixa Laietana

  • Caixa Ontinyent

  • Caixa Sabadell

  • Caixa Tarragona

  • Caja Badajoz

  • Caja Canarias

  • Caja Circulo

  • Caja Granada

  • Caja Laboral

  • Caja Madrid

  • Caja Murcia

  • Caja Vital

  • Caja de Avila

  • Caja de Jaen

  • Cajarioja

  • Cajasol

  • Chase

  • Citibank

  • Citizens

  • Clavenet

  • Clydesdale

  • Co-Operativebank

  • DAB

  • E-Gold

  • Ebay

  • Fibanc Mediolanum

  • Fifth Third

  • First Direct

  • GAD

  • Gruppo Carige

  • HSBC

  • Halifax

  • IS Bank

  • IW Bank

  • Iside

  • Lloyds

  • Microsoft

  • Myspace

  • National City

  • Nationwide

  • Natwest

  • OSPM

  • Odnoklassniki

  • Openbank

  • PayPal

  • PosteItaliane

  • Procredit

  • Qui UBI

  • RBS

  • Rupay

  • Sabadell Atlantico

  • Santander

  • Scrigno

  • Secservizi

  • Smile

  • Suntrust

  • TD Canada Trust

  • US Bank

  • Ueberweisung

  • Unicaja

  • Uno-E

  • Wachovia

  • Washington Mutual

  • Webmoney Keeper Light

  • Wells Fargo

  • Yandex

  • Yorkshire


Once users access any of the monitored sites, it starts logging keystrokes.


It attempts to access a Web site to download a file which contains information where the Trojan can download an updated copy of itself, and where to send its stolen data. This configuration file also contains the following list of targeted bank-related Web sites from which it steals information:

  • */my.ebay.com/*CurrentPage=MyeBayPersonalInfo*

  • *.ebay.com/*eBayISAPI.dll?*

  • https://www.us.hsbc.com/*

  • https://www.e-gold.com/acct/li.asp

  • https://online.wellsfargo.com/das/cgi-bin/session.cgi*

  • https://www.wellsfargo.com/*

  • https://online.wellsfargo.com/login*

  • https://online.wellsfargo.com/signon*

  • https://www.paypal.com/*/webscr?cmd=_account

  • https://www.paypal.com/*/webscr?cmd=_login-done*

  • https://www#.usbank.com/internetBanking/LoginRouter

  • https://easyweb*.tdcanadatrust.com/servlet/*FinancialSummaryServlet*

  • https://www#.citizensbankonline.com/*/index-wait.jsp

  • https://onlinebanking.nationalcity.com/OLB/secure/AccountList.aspx

  • https://www.suntrust.com/portal/server.pt*parentname=Login*

  • https://www.53.com/servlet/efsonline/index.html*

  • https://web.da-us.citibank.com/*BS_Id=MemberHomepage*

  • https://onlineeast#.bankofamerica.com/cgi-bin/ias/*/GotoWelcome

  • https://online.wamu.com/Servicing/Servicing.aspx?targetPage=AccountSummary

  • https://onlinebanking#.wachovia.com/myAccounts.aspx?referrer=authService

  • https://resources.chase.com/MyAccounts.aspx

  • https://bancaonline.openbank.es/servlet/PProxy?*

  • https://extranet.banesto.es/*/loginParticulares.htm

  • https://banesnet.banesto.es/*/loginEmpresas.htm

  • https://empresas.gruposantander.es/WebEmpresas/servlet/webempresas.servlets.*

  • https://www.gruposantander.es/bog/sbi*?ptns=acceso*

  • https://www.bbvanetoffice.com/local_bdno/login_bbvanetoffice.html

  • https://www.bancajaproximaempresas.com/ControlEmpresas*

  • https://www.citibank.de*

  • https://probanking.procreditbank.bg/main/main.asp*

  • https://ibank.internationalbanking.barclays.com/logon/icebapplication*

  • https://ibank.barclays.co.uk/olb/x/LoginMember.do

  • https://online-offshore.lloydstsb.com/customer.ibc

  • https://online-business.lloydstsb.co.uk/customer.ibc

  • https://www.dab-bank.com*

  • http://www.hsbc.co.uk/1/2/personal/internet-banking*

  • https://www.nwolb.com/Login.aspx*

  • https://home.ybonline.co.uk/login.html*

  • https://home.ybonline.co.uk/login.html*

  • https://home.cbonline.co.uk/login.html*

  • https://welcome27.co-operativebank.co.uk/CBIBSWeb/start.do

  • https://welcome23.smile.co.uk/SmileWeb/start.do

  • https://www.halifax-online.co.uk/_mem_bin/formslogin.asp*

  • https://www2.bancopopular.es/AppBPE/servlet/servin*

  • https://www.bancoherrero.com/es/*

  • https://pastornetparticulares.bancopastor.es/SrPd*

  • https://intelvia.cajamurcia.es/2043/entrada/01entradaencrip.htm

  • https://www.caja-granada.es/cgi-bin/INclient_2031

  • https://www.fibancmediolanum.es/BasePage.aspx*

  • https://carnet.cajarioja.es/banca3/tx0011/0011.jsp

  • https://www.cajalaboral.com/home/acceso.asp

  • https://www.cajasoldirecto.es/2106/*

  • https://www.clavenet.net/cgi-bin/INclient_7054

  • https://www.cajavital.es/Appserver/vitalnet*

  • https://banca.cajaen.es/Jaen/INclient.jsp

  • https://www.cajadeavila.es/cgi-bin/INclient_6094

  • https://www.caixatarragona.es/esp/sec_1/oficinacodigo.jsp

  • http://caixasabadell.net/banca2/tx0011/0011.jsp

  • https://www.caixaontinyent.es/cgi-bin/INclient_2045

  • https://www.caixalaietana.es/cgi-bin/INclient_2042

  • https://www.cajacirculo.es/ISMC/Circulo/acceso.jsp

  • https://areasegura.banif.es/bog/bogbsn*

  • https://www.bgnetplus.com/niloinet/login.jsp

  • https://www.caixagirona.es/cgi-bin/INclient_2030*

  • https://www.unicaja.es/PortalServlet*

  • https://www.sabadellatlantico.com/es/*

  • https://oi.cajamadrid.es/CajaMadrid/oi/pt_oi/Login/login

  • https://www.cajabadajoz.es/cgi-bin/INclient_6010*

  • https://extranet.banesto.es/npage/OtrosLogin/LoginIBanesto.htm

  • https://montevia.elmonte.es/cgi-bin/INclient_2098*

  • https://www.cajacanarias.es/cgi-bin/INclient_6065

  • https://oie.cajamadridempresas.es/CajaMadrid/oie/pt_oie/Login/login_oie_1

  • https://www.gruppocarige.it/grps/vbank/jsp/login.jsp

  • https://bancopostaonline.poste.it/bpol/bancoposta/formslogin.asp

  • https://privati.internetbanking.bancaintesa.it/sm/login/IN/box_login.jsp

  • https://hb.quiubi.it/newSSO/x11logon.htm

  • https://www.iwbank.it/private/index_pub.jhtml*

  • https://web.secservizi.it/siteminderagent/forms/login.fcc

  • https://www.isideonline.it/relaxbanking/sso.Login*

  • https://scrigno.popso.it*

  • https://www.halifax-online.co.uk/MyAccounts/MyAccounts.aspx*

  • https://ibank.barclays.co.uk/olb/x/LoginMember.do

  • https://www.halifax-online.co.uk/_mem_bin/*

  • https://online*.lloydstsb.co.uk/logon.ibc

  • https://home.ybonline.co.uk/ral/loginmgr/*

  • https://www.mybank.alliance-leicester.co.uk/login/*

  • https://www.ebank.hsbc.co.uk/main/IBLogon.jsp

  • https://www.isbank.com.tr/Internet/ControlLoader.aspx*

  • https://light.webmoney.ru/default.aspx

  • https://olb2.nationet.com/MyAccounts/frame_MyAccounts_WP2.asp*

  • https://www*.banking.first-direct.com/1/2/*

  • https://cardsonline-consumer.com/RBSG_Consumer/VerifyLogin.do

  • *//money.yandex.ru/index.xml

  • *//money.yandex.ru/

  • *//mail.yandex.ru/index.xml

  • *//mail.yandex.ru/

  • https://www.rbsdigital.com/Login.asp*

  • https://banking*.anz.com/*

  • https://olb2.nationet.com/signon/signon*

  • https://www.nwolb.com/Login.asp*

  • https://home2ae.cd.citibank.ae/CappWebAppAE/producttwo/capp/action/signoncq.do

  • https://internetbanking.aib.ie/hb1/roi/signon

  • https://lot-port.bcs.ru/names.nsf?#ogin* "   *wellsfargo.com/*

  • https://web.da-us.citibank.com/cgi-bin/citifi/portal/l/l.do

  • https://web.da-us.citibank.com/cgi-bin/citifi/portal/l/autherror.do*

  • https://rupay.com/index.php

  • https://light.webmoney.ru/default.aspx &   *banquepopulaire.fr/*

  • http://*.osmp.ru/

  • https://www.uno-e.com/local_bdnt_unoe/Login_unoe2.html

  • https://www.ccm.es/cgi-bin/INclient_6105



Installation


It drops copies of itself in the Windows system folder and appends garbage code to the dropped copy to avoid easy detection. The dropped copies uses the following file names:

  • sdra64.exe


It drops the following non-malicious files:

  • %System%lowseclocal.ds

  • %System%lowsecuser.ds

  • %System%lowsecuser.ds.lll



Other Details


It injects itself into the following processes as part of its memory residency routine:

  • SVCHOST.EXE

  • WINLOGON.EXE


It checks for the presence of the following processes which are related to Outpost Personal Firewall and ZoneLabs Firewall Client:

  • outpost.exe
  • zlclient.exe

It terminates if either of the said processes exist. This is to ensure that it runs uninterrupted. It also has rootkit capabilities, which enables it to hide its processes and files from the user.



Other System Modifications


It adds the following registry entries as part of its installation routine:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetwork
UID={Computer name}_{Random numbers}


It modifies the following registry entries to disable the Windows Firewall settings: $$DATA_REGISTRY$$



Stolen Information


It sends the gathered information via HTTP POST to the following URL:

  • http://{BLOCKED}nahui.cn/game.php


It saves the stolen information in the following file:

  • %System%lowsecuser.ds



Variant Information


It has the following SHA1 hashes:

  • 46c98d15425041d45cce11cf6c29b0c96167c578


It has the following MD5 hashes:

  • 03490377076a776313a61c1a5f5b727d

  SOLUTION

Minimum Scan Engine: 8.900
VSAPI PATTERN File: 7.424.01
VSAPI PATTERN Date: 01 Jul 0424
VSAPI PATTERN Date: 7.424.01


Step 1
For Windows ME and XP users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2
Identify and delete files detected as TSPY_ZBOT.BFZ using either the Startup Disk or Recovery Console
[ Learn More ]


Step 3
Restore this modified registry value This step allows you to undo a change done by the malware/grayware/spyware to a registry value.

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

 
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    • From: Userinit = %System%\userinit.exe, %System%\sdra64.exe,
      To: Userinit = %System%\userinit.exe,

To restore the registry value this malware/grayware/spyware modified:

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>CurrentVersion>Winlogon
  3. In the right panel, locate the registry value:
    Userinit = %System%\userinit.exe, %System%\sdra64.exe,
  4. Right-click on the value name and choose Modify. Change the value data of this entry to:
    Userinit = %System%\userinit.exe,
  5. Close Registry Editor.

Step 4
Delete this registry value This step allows you to delete the registry value created by the malware/grayware/spyware.

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network
    • UID = {Computer name}_{Random numbers}
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
    • EnableFirewall = 0
    

To delete the registry value this malware/grayware/spyware created:

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>CurrentVersion>Network
  3. In the right panel, locate and delete the entry:
    UID = {Computer name}_{Random numbers}
  4. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>SharedAccess>Parameters>FirewallPolicy>StandardProfile
  5. In the right panel, locate and delete the entry:
    EnableFirewall = 0
  6. Close Registry Editor.

Step 5
Search and delete this folder This step allows you to search and delete the folder created by this malware/grayware/spyware. Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden folders in the search result. %System%lowsec

To delete the malware/grayware/spyware folder:

  1. Right-click Start then click Search... or Find..., depending on the version of Windows you are running.
  2. In the Named input box, type:
      %System%lowsec
  3. In the Look In drop-down list, select My Computer, then press Enter.
  4. Once located, select the folder then press SHIFT+DELETE to permanently delete the folder.

Step 6
Scan your computer with your Trend Micro product to delete files detected as TSPY_ZBOT.BFZ If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Did this description help? Tell us how we did.