TSPY_ZBOT.JWZB

This spyware attempts to steal information, such as user names and passwords, used when logging into certain banking or finance-related websites.

Arrival Details

This spyware may be downloaded from the following remote sites:

• http://{BLOCKED}knhafOKYsl4yLtPKutM.net/panel3/ppnl3.exe

Installation

This spyware adds the following folders:

• %Application Data%\{random folder name 1}
• %Application Data%\{random folder name 2}

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.)

It injects itself into the following processes running in the affected system's memory:

• explorer.exe
• taskhost.exe
• taskeng.exe
• Dwm.exe
• wscntfy.exe
• ctfmon.exe
• rdpclip.exe

Autostart Technique

This spyware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{GUID} = %Application Data%\{random folder name 1}\{random file name}.exe

It drops the following files:

• %Application Data%\{random folder name 1}\{random file name}.exe - copy of itself
• %Application Data%\{random folder name 2}\{random file name} - contains encrypted stolen data

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.)

Other System Modifications

This spyware adds the following registry keys as part of its installation routine:

HKEY_CURRENT_USER\Software\Microsoft\
{random characters}

It creates the following registry entry(ies) to bypass Windows Firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%Windows%\EXPLORER.EXE = %Windows%\EXPLORER.EXE:*:Enabled:Windows Explorer

Information Theft

This spyware monitors the Internet Explorer (IE) activities of the affected system, specifically the address bar or title bar. It recreates a legitimate website with a spoofed login page if a user visits banking sites with the following strings in the address bar or title bar:

• *.bankinter.com/www/es-es/cgi/*home*
• *.bankinter.com/www/es-es/cgi/*integral
• *.bankinter.com/www/es-es/cgi/ebk+opr*
• *.ccm.es*
• *.ccm.es/*inicio_identificacionAAAA*
• *.deutsche-bank.es*login*
• *.ingdirect.es*Transactional/faces/views/getClientID*
• *bancopastor.es/*SrPd*
• *banesnet.banesto.es*cabeza_bk*
• *banesnet.banesto.es*dse_nextEventName=start
• *banesnet.banesto.es*s.bto
• *banesnet.banesto.es/npage/loginEmpresas*
• *caixacatalunya.com*/es/ccpublic/*
• *cajaduero.es*
• *cajaduero.es*microsite*
• *lacajaencasa.cajacanarias.es*identificacion*
• *lloydstsb.es/VirtualBank/servlet/LoadMenuOperaciones*
• *online.halifax.es/main*
• *pastornetempresas.bancopastor.es/SrPd*
• *ps://pastornetparticulares.bancopastor.es/*SrPd*
• *ruralvia.com/isum/Main?ISUM_ID=portlets_area*
• *s://pastornetempresas.bancopastor.es/SrPd*
• *ww3.deutsche-bank.es/*
• https://bancae.caixapenedes.com*
• https://bancae.caixapenedes.com/mcpenedesnl/*
• https://bancopostaimpresaonline.poste.it/bpiol/lastFortyMovementsBalance.do?method=loadLastFortyMovementList*
• https://banesnet.banesto.es*sugerencias*
• https://banesnet.banesto.es/*ChannelDriver*
• https://barclaysnet.barclays.es/servlet/com.ibm.dse.cs.servlet*
• https://be.bancogallego.es/inithome*
• https://be.cajamurcia.es/BEWeb/*ps0002m004_0*
• https://be.cajamurcia.es/BEWeb/*psINICm_0*
• https://caixagestionempresas.caixagalicia.es/*/inicio_identificacion.action*
• https://cajacanariasonline.cajacanarias.es/*/inicio_identificacion_portal*
• https://ce.caixalaietana.es/BEWeb/2042/2042*_m_COMUN*
• https://net.kutxa.net/*/tmpl/es/loginkn*
• https://oficina24hores.caixagirona.es/BEWeb/2030/1030/inicio_identificacion*
• https://oie.cajamadridempresas.es/CajaMadrid/oie/pt_oie/Login/*
• https://online.halifax.es/main*
• https://pastornetempresas.bancopastor.es/*SrPd*
• https://pastornetempresas.bancopastor.es/EMPBEEMPA_F.jsp?*
• https://pastornetempresas.bancopastor.es/titEMPBEEMPA*
• https://pastornetparticulares.bancopastor.es/*SrPd*
• https://pastornetparticulares.bancopastor.es/BEPBEBEPA_F.jsp
• https://pastornetparticulares.bancopastor.es/SrPd;jsessionid=*
• https://pastornetparticulares.bancopastor.es/titBEPBEBEPA*
• https://seguro.cam.es*SvlHistoricoMovimientosCAM*
• https://seguro.cam.es*SvlSaldoCAM*
• https://telematic.caixamanlleu.es/ISMC/Manlleu_cat/acceso*
• https://vitalnet.cajavital.es/BEWeb/*/inicio_identificacion*
• https://ww3.deutsche-bank.es*NetiServlet*
• https://www.bancomediolanum.es/*
• https://www.banesto.es/cs/Satellite*HomeEmpresas*
• https://www.bankinter.com*
• https://www.bvi.bancodevalencia.es/inithome*
• https://www.caixatarragona.es/*/oficinacodigo*
• https://www.cajaduero.es/CajaElectronica/boxer/*
• https://www.cajaespana.net/convivencia/servlet/ServletCTRL
• https://www.cajalaboral.com/home/acceso.asp
• https://www.gruposantander.es/*
• https://www.iknet.iparkutxa.es/intro*
• https://www.lloydstsb.es/VirtualBank/*
• https://www.lloydstsb.es/VirtualBank/servlet/LoadMenuOperaciones*
• https://www.ruralvia.com/isum/Main*

It accesses the following site to download its configuration file:

• http://{BLOCKED}knhafOKYsl4yLtPKutM.net/panel3/ppnl3.bin
• http://{BLOCKED}DQTGSMru8lUlZUzwwAx.net/panel3/ppnl3.bin
• http://{BLOCKED}rhRBIeb30LbflcMj7Ru.net/panel3/ppnl3.bin
• http://{BLOCKED}U1p8IbutczX1uLvsJ5L.net/panel3/ppnl3.bin
• http://{BLOCKED}3tlT0wTkOiq5yBUGqle.net/panel3/ppnl3.bin
• http://{BLOCKED}mWjY4DGtgt2eLbZwMQu.net/panel3/ppnl3.bin
• http://{BLOCKED}mChTl4FlrhdfNGr4jNL.net/panel3/ppnl3.bin
• http://{BLOCKED}XpKnuYPkizBWDCZFOLQ.net/panel3/ppnl3.bin
• http://{BLOCKED}dJAkf0vwcFPGymeOrjs.net/panel3/ppnl3.bin
• http://{BLOCKED}marivanna.info/ppnl3.bin

It attempts to steal information from the following banks and/or other financial institutions:

• Banco Gallego
• Banco Mediolanum
• Banco Pastor
• Banco de Valencia
• Banesto
• Bankinter
• Barclays
• CCM
• Caixa Catalunya
• Caixa Galicia
• Caixa Girona
• Caixa Laietana
• Caixa Manlleu
• Caixa Penedès
• Caixa Tarragona
• Caja Canarias
• Caja Duero
• Caja España
• Caja Laboral
• Caja Madrid
• Caja Murcia
• Caja Vital
• Deutsche Bank
• Halifax
• ING Direct
• Kutxanet
• Lloyds
• PosteItaliane
• Ruralvia
• Santander

Drop Points

Stolen information is uploaded to the following websites:

• http://{BLOCKED}knhafOKYsl4yLtPKutM.net/panel3/gotobank.php

Other Details

This spyware does the following:

• Adds the following registry entries to disable Internet Explorer (IE):

  HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter
  Enabled = 0
  EnabledV8 = 0

• Steals the following information:
  • Personal certificates (MY)
  • FTP credentials for the following FTP applications:
    • FlashXP
    • Ghisler
    • IPSwitch
    • Filezilla
    • FTPFar
    • WinSCP
    • FTPCommander
    • CoreFTP
    • SmartFTP
  • Flashplayer data
  • Internet session cookies

Variant Information

This spyware has the following MD5 hashes:

• 547c0e1a9fd93b52f95ce6b4cb3e30dd

It has the following SHA1 hashes:

• 2265705630f1ba7f07e59d65407552ca43b38b82