Content
PWS-Zbot
- Type
- Trojan
- SubType
- Password Stealer
- Discovery Date
- 12/19/2007
- Length
- varies
- Minimum DAT
- 5189 (12/19/2007)
- Updated DAT
- 6548 (12/02/2011)
- Minimum Engine
- 5.4.00
- Description Added
- 12/19/2007
- Description Modified
- 03/25/2011 9:07 AM (PT)
Risk Assessment
- Corporate User
- Low-Profiled
- Home User
- Low-Profiled
Tab Navigation
Characteristics
PWS-Zbot is a Trojan that steals online banking credentials and eventually sends them to a remote server.
----- Updated On March 25 th, 2011 ----
File Information –
- MD5 - b531303c76329c6d836567a6c1399663
- SHA1 - 6090a4bbadee12dbb5faee90fc3f90da0518c5c7
Aliases -
- Avp - Trojan-Spy.Win32.Zbot.zxf
- Msmp - pws:win32/zbot.pg
- Nav - Infostealer.Banker.C
- Norman - W32/Zbot.GUB
Upon execution, the Trojan drops the following files.
- %WinDir%\system32\sdra64.exe [ detected as Generic PWS.bfr ]
- %WinDir%\system32\lowsec\local.ds
- %WinDir%\system32\lowsec\user.ds.lll
- %WinDir%\system32\lowsec\user.ds
And it connects to the whatismyip.com to know the victim’s computer IP address.
The Trojan updates itself using the below mentioned configuration file
- [removed]-up2date.cn/cfg.ini
The following registry keys have been added
- HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation
- HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\IETld
- HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
- HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld
- HKEY_USERS\.DEFAULT\Software\Microsoft\Protected Storage System Provider
- HKEY_USERS\.DEFAULT\Software\Microsoft\Protected Storage System Provider\S-1-5-18
- HKEY_USERS\S-1-5-19\Software\Microsoft\Protected Storage System Provider
- HKEY_USERS\S-1-5-19\Software\Microsoft\Protected Storage System Provider\S-1-5-19
- HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\BrowserEmulation
- HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\IETld
- HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
- HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld
- HKEY_USERS\S-1-5-18\Software\Microsoft\Protected Storage System Provider
- HKEY_USERS\S-1-5-18\Software\Microsoft\Protected Storage System Provider\S-1-5-18
The following registry values have been added
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\
UID = "ComputerName_0045781E" - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\
EnableFirewall = 0x00000000 - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\
EnableFirewall = 0x00000000
The Trojan disables the firewall settings
- HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation\
TLDUpdates = 0x00000001 - HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\IETld\
IETldDllVersionHigh = 0x00080000
IETldDllVersionLow = 0x177149EB
IETldVersionHigh = 0x00000001
IETldVersionLow = 0x00000003
StaleIETldCache = 0x00000001 - HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}\
{3039636B-5F3D-6C64-6675-696870667265} = F7 09 F2 0D - HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}\
{33373039-3132-3864-6B30-303233343434} = 47 09 F2 0D - HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\
CachePath = "%USERPROFILE%\IETldCache"
CachePrefix = "ietld:"
CacheLimit = 0x00002000
CacheOptions = 0x00000009
CacheRepair = 0x00000000 - HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
AutoDetect = 0x00000000 - HKEY_USERS\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Network\
UID = " ComputerName_00457B79" - HKEY_USERS\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Network\
UID = " ComputerName_004579F3" - HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\BrowserEmulation\
TLDUpdates = 0x00000001 - HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\IETld\
IETldDllVersionHigh = 0x00080000
IETldDllVersionLow = 0x177149EB
IETldVersionHigh = 0x00000001
IETldVersionLow = 0x00000003
StaleIETldCache = 0x00000001 - HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}\
{3039636B-5F3D-6C64-6675-696870667265} = F7 09 F2 0D - HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}\
{33373039-3132-3864-6B30-303233343434} = 47 09 F2 0D - HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\
CachePath = "%USERPROFILE%\IETldCache"
CachePrefix = "ietld:"
CacheLimit = 0x00002000
CacheOptions = 0x00000009
CacheRepair = 0x00000000 - HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
AutoDetect = 0x00000000
The following registry values have been modified
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
Userinit = "%WinDir%\system32\userinit.exe,%WinDir%\system32\sdra64.exe,"
The above registry entry confirms that, the Trojan executes every time when windows startsThe following folders have been added
- %WinDir%\system32\config\systemprofile\IETldCache
- %WinDir% \system32\lowsec
[Note:
%WinDir% = C:\WINDOWS ]
---------
-- Update November 11, 2010 --
Some variants have been discovered that can infect other files. The infected code includes a random domain generating algorithm.
-- Update August 13, 2010 --
A new variant of the Zbot malware family is seen being spammed. This update provides specific characteristics of this variant.
PWS-Zbot may have any of the following filenames. It is highly recommended that they are blocked at e-mail gateways and firewalls.
- fun bunch summer 2010.exe
- invite.exe
- resume.exe
- banquet invitations.exe
- car loan.exe
- cv july '10 finals.exe
- edmc application 2 07.exe
- f&r rehearsal.exe
- fun bunch summer 2010.exe
- labor distribution report.exe
- lance armstrong.exe
- morgan hunt.exe
- nh ess access guidelines.exe
- order_74hhdnsj3hex.exe
- online passport application for passport office.exe
- Allhotels.exe
Spammed emails may have the following as subjects:
- In USA on August 15 and 16
- Your reservation is confirmed - Ref: 12652/886645
Upon execution it creates a copy of itself with one of the following names:
- %WINDIR%\host32.exe
- %WINDIR%\system32.exe
These dropped files have a random amount of garbage added to its end, so their size may vary.
The following files are also created to store stolen information such as user keystrokes and web banking information.
- %WINDIR%\jh87uhnoe3\ewf32.nls
- %WINDIR%\jh87uhnoe3\ewfrvbb.nls
It modifies the following registry keys:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\host32.exe,"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32.exe,"
Creates the folowing registry keys:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network PID "%computername%"
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\{61AE298E-1E2E-1083-BD89-63E91F7CB59D} = <4 bytes data>
It hooks several Windows functions (API), hiding the files mentioned above from a regular user's view.
It injects malicious code into the following processes in memory to monitor itself and restart in case any thread is removed or stopped by cleaning applications.
- lsass.exe
- services.exe
- Any process created after the infection
It lowers Internet Explorer security settings to allow any software to be executed in webpages without user knowledge. Please check the following link to understand the risk: http://support.microsoft.com/kb/182569
It opens a backdoor at a random and high numbered TCP port.
Some versions of this thread were observed to activate Windows Terminal Service daemon, and to patch the Microsoft Terminal Service DLL to disable authentication, opening the machine to any remote desktop client.
-- January 21, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2009/01/21/airline_ticket_malware_scam/
Generic Characteristics of the PWS-Zbot Family
The malicious program has the ability to steal login/password information from several services and program, including:
- FTP communication
- HTTP authentication
- HTTP cookies
- user digital certificates
- FTP clients configuration (FlashFXP, SmartFTP, WinSCP, Far Manager, WS_FTP, etc)
- can capture screenshots
It add or modify the following registry keys:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID = "MACHINE_NAME"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "%WINDIR%\system32\userinit.exe,%WINDIR%\system32\sdra64.exe,"
- HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\F710FA10-2031-3106-8872-93A2B5C5C620} = F7 09 F2 0D
- HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = 0x00000000
The program inject malicious code into the winlogon.exe and svchost.exe processes.
The Windows firewall is disabled.
The following files or directories are created:
- %WINDIR%\system32\lowsec\local.ds (data file)
- %WINDIR%\system32\lowsec\user.ds (data file)
- %WINDIR%\system32\lowsec\user.ds.lll (data file)
- %WINDIR%\system32\sdra64.exe (PWS-Zbot)
- %WINDIR%\system32\ntos.exe
- %WINDIR%\system32\wsnpoem\audio.dll
- %WINDIR%\system32\wsnpoem\video.dll
- %Root%\RECYCLER\S-1-5-21-4616592079-8080907928-828616482-2104
- Sysdate.exe
- Wuaclt.exe
- %Root%\Temp[random numeral]
- autorun.inf (in external drives)
- desktop.ini (in external drives)
- [Filename similar to valid Windows applications].exe
(Where %WINDIR refers to the directory where Windows is installed. For Windows XP, this usually means C:\Windows)
It creates a MUTEX named _AVIRA_2108 inside svchost.exe and _AVIRA_2109 inside winlogon.exe
The malware also listen for connections on a high TCP port. The following ports have been observed in this variant:
- TCP/21957
- TCP/16629
Contact may also be initiated with the following domains over UDP 11223:
- butterfly.[removed].biz
- butterfly.[removed].es
- qwertasdfg.[removed].es
It tries to download a configuration file from external site such as the following:
- hxxp://hiho[removed].com/httpd/loc.so
Some variants are observed to spread through removable drives by creating an autorun.inf file, which will then run the worm automatically if the system is set to Autorun.
Symptoms
Method of Infection
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.
Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
But in some particular cases, the following steps need to be taken.
Please go to the Microsoft Recovery Console and restore a clean MBR.
On Windows XP:
- Insert the Windows XP CD into the CD-ROM drive and restart the computer.
- When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
- Select the Windows installation that is compromised and provide the administrator password.
- Issue 'fixmbr' command to restore the Master Boot Record
- Follow onscreen instructions.
- Reset and remove the CD from CD-ROM drive.
On Windows Vista and 7:
- Insert the Windows CD into the CD-ROM drive and restart the computer.
- Click on "Repair Your Computer".
- When the System Recovery Options dialog comes up, choose the Command Prompt.
- Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
- Follow onscreen instructions.
- Reset and remove the CD from CD-ROM drive.
Variants
Variants
- Spy-Agent.bw
All Information
Overview -
PWS-Zbot is a Trojan that steals online banking credentials and eventually sends them to a remote server.
Aliases
- Zeus
Characteristics
Characteristics -
PWS-Zbot is a Trojan that steals online banking credentials and eventually sends them to a remote server.
----- Updated On March 25 th, 2011 ----
File Information –
- MD5 - b531303c76329c6d836567a6c1399663
- SHA1 - 6090a4bbadee12dbb5faee90fc3f90da0518c5c7
Aliases -
- Avp - Trojan-Spy.Win32.Zbot.zxf
- Msmp - pws:win32/zbot.pg
- Nav - Infostealer.Banker.C
- Norman - W32/Zbot.GUB
Upon execution, the Trojan drops the following files.
- %WinDir%\system32\sdra64.exe [ detected as Generic PWS.bfr ]
- %WinDir%\system32\lowsec\local.ds
- %WinDir%\system32\lowsec\user.ds.lll
- %WinDir%\system32\lowsec\user.ds
And it connects to the whatismyip.com to know the victim’s computer IP address.
The Trojan updates itself using the below mentioned configuration file
- [removed]-up2date.cn/cfg.ini
The following registry keys have been added
- HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation
- HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\IETld
- HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
- HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld
- HKEY_USERS\.DEFAULT\Software\Microsoft\Protected Storage System Provider
- HKEY_USERS\.DEFAULT\Software\Microsoft\Protected Storage System Provider\S-1-5-18
- HKEY_USERS\S-1-5-19\Software\Microsoft\Protected Storage System Provider
- HKEY_USERS\S-1-5-19\Software\Microsoft\Protected Storage System Provider\S-1-5-19
- HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\BrowserEmulation
- HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\IETld
- HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
- HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld
- HKEY_USERS\S-1-5-18\Software\Microsoft\Protected Storage System Provider
- HKEY_USERS\S-1-5-18\Software\Microsoft\Protected Storage System Provider\S-1-5-18
The following registry values have been added
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\
UID = "ComputerName_0045781E" - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\
EnableFirewall = 0x00000000 - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\
EnableFirewall = 0x00000000
The Trojan disables the firewall settings
- HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation\
TLDUpdates = 0x00000001 - HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\IETld\
IETldDllVersionHigh = 0x00080000
IETldDllVersionLow = 0x177149EB
IETldVersionHigh = 0x00000001
IETldVersionLow = 0x00000003
StaleIETldCache = 0x00000001 - HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}\
{3039636B-5F3D-6C64-6675-696870667265} = F7 09 F2 0D - HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}\
{33373039-3132-3864-6B30-303233343434} = 47 09 F2 0D - HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\
CachePath = "%USERPROFILE%\IETldCache"
CachePrefix = "ietld:"
CacheLimit = 0x00002000
CacheOptions = 0x00000009
CacheRepair = 0x00000000 - HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
AutoDetect = 0x00000000 - HKEY_USERS\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Network\
UID = " ComputerName_00457B79" - HKEY_USERS\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Network\
UID = " ComputerName_004579F3" - HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\BrowserEmulation\
TLDUpdates = 0x00000001 - HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\IETld\
IETldDllVersionHigh = 0x00080000
IETldDllVersionLow = 0x177149EB
IETldVersionHigh = 0x00000001
IETldVersionLow = 0x00000003
StaleIETldCache = 0x00000001 - HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}\
{3039636B-5F3D-6C64-6675-696870667265} = F7 09 F2 0D - HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}\
{33373039-3132-3864-6B30-303233343434} = 47 09 F2 0D - HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\
CachePath = "%USERPROFILE%\IETldCache"
CachePrefix = "ietld:"
CacheLimit = 0x00002000
CacheOptions = 0x00000009
CacheRepair = 0x00000000 - HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
AutoDetect = 0x00000000
The following registry values have been modified
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
Userinit = "%WinDir%\system32\userinit.exe,%WinDir%\system32\sdra64.exe,"
The above registry entry confirms that, the Trojan executes every time when windows startsThe following folders have been added
- %WinDir%\system32\config\systemprofile\IETldCache
- %WinDir% \system32\lowsec
[Note:
%WinDir% = C:\WINDOWS ]
---------
-- Update November 11, 2010 --
Some variants have been discovered that can infect other files. The infected code includes a random domain generating algorithm.
-- Update August 13, 2010 --
A new variant of the Zbot malware family is seen being spammed. This update provides specific characteristics of this variant.
PWS-Zbot may have any of the following filenames. It is highly recommended that they are blocked at e-mail gateways and firewalls.
- fun bunch summer 2010.exe
- invite.exe
- resume.exe
- banquet invitations.exe
- car loan.exe
- cv july '10 finals.exe
- edmc application 2 07.exe
- f&r rehearsal.exe
- fun bunch summer 2010.exe
- labor distribution report.exe
- lance armstrong.exe
- morgan hunt.exe
- nh ess access guidelines.exe
- order_74hhdnsj3hex.exe
- online passport application for passport office.exe
- Allhotels.exe
Spammed emails may have the following as subjects:
- In USA on August 15 and 16
- Your reservation is confirmed - Ref: 12652/886645
Upon execution it creates a copy of itself with one of the following names:
- %WINDIR%\host32.exe
- %WINDIR%\system32.exe
These dropped files have a random amount of garbage added to its end, so their size may vary.
The following files are also created to store stolen information such as user keystrokes and web banking information.
- %WINDIR%\jh87uhnoe3\ewf32.nls
- %WINDIR%\jh87uhnoe3\ewfrvbb.nls
It modifies the following registry keys:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\host32.exe,"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32.exe,"
Creates the folowing registry keys:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network PID "%computername%"
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\{61AE298E-1E2E-1083-BD89-63E91F7CB59D} = <4 bytes data>
It hooks several Windows functions (API), hiding the files mentioned above from a regular user's view.
It injects malicious code into the following processes in memory to monitor itself and restart in case any thread is removed or stopped by cleaning applications.
- lsass.exe
- services.exe
- Any process created after the infection
It lowers Internet Explorer security settings to allow any software to be executed in webpages without user knowledge. Please check the following link to understand the risk: http://support.microsoft.com/kb/182569
It opens a backdoor at a random and high numbered TCP port.
Some versions of this thread were observed to activate Windows Terminal Service daemon, and to patch the Microsoft Terminal Service DLL to disable authentication, opening the machine to any remote desktop client.
-- January 21, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2009/01/21/airline_ticket_malware_scam/
Generic Characteristics of the PWS-Zbot Family
The malicious program has the ability to steal login/password information from several services and program, including:
- FTP communication
- HTTP authentication
- HTTP cookies
- user digital certificates
- FTP clients configuration (FlashFXP, SmartFTP, WinSCP, Far Manager, WS_FTP, etc)
- can capture screenshots
It add or modify the following registry keys:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID = "MACHINE_NAME"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "%WINDIR%\system32\userinit.exe,%WINDIR%\system32\sdra64.exe,"
- HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\F710FA10-2031-3106-8872-93A2B5C5C620} = F7 09 F2 0D
- HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = 0x00000000
The program inject malicious code into the winlogon.exe and svchost.exe processes.
The Windows firewall is disabled.
The following files or directories are created:
- %WINDIR%\system32\lowsec\local.ds (data file)
- %WINDIR%\system32\lowsec\user.ds (data file)
- %WINDIR%\system32\lowsec\user.ds.lll (data file)
- %WINDIR%\system32\sdra64.exe (PWS-Zbot)
- %WINDIR%\system32\ntos.exe
- %WINDIR%\system32\wsnpoem\audio.dll
- %WINDIR%\system32\wsnpoem\video.dll
- %Root%\RECYCLER\S-1-5-21-4616592079-8080907928-828616482-2104
- Sysdate.exe
- Wuaclt.exe
- %Root%\Temp[random numeral]
- autorun.inf (in external drives)
- desktop.ini (in external drives)
- [Filename similar to valid Windows applications].exe
(Where %WINDIR refers to the directory where Windows is installed. For Windows XP, this usually means C:\Windows)
It creates a MUTEX named _AVIRA_2108 inside svchost.exe and _AVIRA_2109 inside winlogon.exe
The malware also listen for connections on a high TCP port. The following ports have been observed in this variant:
- TCP/21957
- TCP/16629
Contact may also be initiated with the following domains over UDP 11223:
- butterfly.[removed].biz
- butterfly.[removed].es
- qwertasdfg.[removed].es
It tries to download a configuration file from external site such as the following:
- hxxp://hiho[removed].com/httpd/loc.so
Some variants are observed to spread through removable drives by creating an autorun.inf file, which will then run the worm automatically if the system is set to Autorun.
Symptoms
Symptoms -
Method of Infection
Method of Infection -
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.
Removal -
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
But in some particular cases, the following steps need to be taken.
Please go to the Microsoft Recovery Console and restore a clean MBR.
On Windows XP:
- Insert the Windows XP CD into the CD-ROM drive and restart the computer.
- When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
- Select the Windows installation that is compromised and provide the administrator password.
- Issue 'fixmbr' command to restore the Master Boot Record
- Follow onscreen instructions.
- Reset and remove the CD from CD-ROM drive.
On Windows Vista and 7:
- Insert the Windows CD into the CD-ROM drive and restart the computer.
- Click on "Repair Your Computer".
- When the System Recovery Options dialog comes up, choose the Command Prompt.
- Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
- Follow onscreen instructions.
- Reset and remove the CD from CD-ROM drive.
Variants
Variants -
- Spy-Agent.bw