Analysis by: Jasen Sumalapao
ALIASES:

PWS:Win32/Zbot (Microsoft), Generic BackDoor.adp (NAI), Mal/NecursDrp-A (Sophos), Trojan.Injector.AHF (FSecure), Trojan.Injector.AHF (Bitdefender), W32/Zbot.AAO!tr.spy (Fortinet), Win32/Spy.Zbot.AAO trojan (NOD32)

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 REPORTED INFECTION:
 SYSTEM IMPACT RATING:
 INFORMATION EXPOSURE:

  • Threat Type: Spyware

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It creates folders where it drops its files.

It modifies the Internet Explorer Zone Settings.

It deletes itself after execution.

  TECHNICAL DETAILS

File Size: 290,816 bytes
File Type: EXE
Initial Samples Received Date: 28 Aug 2012

Arrival Details

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This spyware drops the following component file(s):

  • %User Profile%\Application Data\{random folder 1}\{random filename}.exe - detected as TSPY_ZBOT.NKS
  • %User Profile%\Application Data\{random folder 2}\{random filename and extension}
  • %User Profile%\Application Data\{random folder 3}\{random filename and extension}

(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

It creates the following folders:

  • %User Profile%\Application Data\{random folder 1}
  • %User Profile%\Application Data\{random folder 2}
  • %User Profile%\Application Data\{random folder 3}

(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

  • Local\{97D16FEF-F788-89F2-E17F-82BA9A4C24CF}

Autostart Technique

This spyware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random characters} = "%User Profile%\Application Data\{random folder 1}\{random file name}.exe"

Other System Modifications

This spyware creates the following registry entry(ies) to bypass Windows Firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%Windows%\explorer.exe = "%Windows%\explorer.exe:*:Enabled:Windows Explorer"

Web Browser Home Page and Search Page Modification

This spyware modifies the Internet Explorer Zone Settings.

Download Routine

This spyware connects to the following URL(s) to download its component file(s):

  • {BLOCKED}a.com

Other Details

This spyware deletes itself after execution.