Content

PWS-Zbot

Type
Trojan
SubType
Password Stealer
Discovery Date
12/19/2007
Length
varies
Minimum DAT
5189 (12/19/2007)
Updated DAT
5795 (11/07/2009)
Minimum Engine
5.1.00
Description Added
12/19/2007
Description Modified
09/28/2009 1:44 PM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

PWS-Zbot is a Trojan that steals online banking credentials and eventually sends them to a remote server.

Upon execution, it drops the following files into the Windows system directory:

  • %Windir%\%SYSDIR%\ntos.exe
  • %Windir%\%SYSDIR%\wsnpoem\audio.dll
  • %Windir%\%SYSDIR%\wsnpoem\video.dll

Adds the string “C:\%WINDIR%\system32\ntos.exe” to the “Userinit” value in the following registry key in order to run at Windows start up:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

The newly created Registry Values are:

o [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network]
                + UID = "%ComputerName%" (adds computer name)

o [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer]
                + {F710FA10-2031-3106-8872-93A2B5C5C620} = F7 09 F2 0D

o [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
                + ProxyEnable = 0x00000000

== Update September 28, 2009 ==

A new variant attempts to spread to removable drives by creating an autorun.inf file, which will then run the worm automatically if a system which uses the removable drive is set to Autorun.

Upon execution, the following directory is created:

o %Root%\RECYCLER\S-1-5-21-4616592079-8080907928-828616482-2104

A copy of the worm is dropped into this directory, along with a Desktop.ini file. The copy is named similar to a file that Windows would use. These may include:

  • Sysdate.exe
  • Wuaclt.exe

The following value/data pair is also added:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Taskman"
    Data: %Root%\RECYCLER\S-1-5-21-4616592079-8080907928-828616482-2104\[Filename].exe

Removable devices that become infected may exhibit the following behavior.

The following file is added to the root of the drive:

  • Autorun.inf

A folder is created with a directory name similar to the below:

  • %Root%\Temp[random numeral]

Within this directory, the following files may be added:

  • Dekstop.ini
  • [Filename similar to valid Windows applications].exe


Contact may also be initiated with the following domains over UDP 11223:

  • butterfly.[removed].biz
  • butterfly.[removed].es
  • qwertasdfg.[removed].es

All the while, the worm is injected into explorer.exe.

Symptoms

 

  • PWS-Zbot may prevent some applications to be started.
  • Existence of the aforementioned files and registry entries
  • Existence of communications to the aforementioned domains
  • Unexpected HTTP traffic.

    • Method of Infection

    Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

    Removal

    All Users:
    Use current engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations

    Variants

    Variants

      N/A

    All Information

    Overview -

    -- January 21, 2009 --
    The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
    http://www.theregister.co.uk/2009/01/21/airline_ticket_malware_scam/

    --

    This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

    Characteristics

    Characteristics -

    PWS-Zbot is a Trojan that steals online banking credentials and eventually sends them to a remote server.

    Upon execution, it drops the following files into the Windows system directory:

    • %Windir%\%SYSDIR%\ntos.exe
    • %Windir%\%SYSDIR%\wsnpoem\audio.dll
    • %Windir%\%SYSDIR%\wsnpoem\video.dll

    Adds the string “C:\%WINDIR%\system32\ntos.exe” to the “Userinit” value in the following registry key in order to run at Windows start up:

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

    The newly created Registry Values are:

    o [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network]
                    + UID = "%ComputerName%" (adds computer name)

    o [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer]
                    + {F710FA10-2031-3106-8872-93A2B5C5C620} = F7 09 F2 0D

    o [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
                    + ProxyEnable = 0x00000000

    == Update September 28, 2009 ==

    A new variant attempts to spread to removable drives by creating an autorun.inf file, which will then run the worm automatically if a system which uses the removable drive is set to Autorun.

    Upon execution, the following directory is created:

    o %Root%\RECYCLER\S-1-5-21-4616592079-8080907928-828616482-2104

    A copy of the worm is dropped into this directory, along with a Desktop.ini file. The copy is named similar to a file that Windows would use. These may include:

    • Sysdate.exe
    • Wuaclt.exe

    The following value/data pair is also added:

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Taskman"
      Data: %Root%\RECYCLER\S-1-5-21-4616592079-8080907928-828616482-2104\[Filename].exe

    Removable devices that become infected may exhibit the following behavior.

    The following file is added to the root of the drive:

    • Autorun.inf

    A folder is created with a directory name similar to the below:

    • %Root%\Temp[random numeral]

    Within this directory, the following files may be added:

    • Dekstop.ini
    • [Filename similar to valid Windows applications].exe


    Contact may also be initiated with the following domains over UDP 11223:

    • butterfly.[removed].biz
    • butterfly.[removed].es
    • qwertasdfg.[removed].es

    All the while, the worm is injected into explorer.exe.

    Symptoms

    Symptoms -

     

  • PWS-Zbot may prevent some applications to be started.
  • Existence of the aforementioned files and registry entries
  • Existence of communications to the aforementioned domains
  • Unexpected HTTP traffic.

    • Method of Infection

    Method of Infection -

    Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

    Removal -

    Removal -

    All Users:
    Use current engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations

    Variants

    Variants -

      N/A