McAfee > Theat Center > Virus Detail Page

Overview

Aliases

• Zeus

Characteristics

PWS-Zbot is a Trojan that steals online banking credentials and eventually sends them to a remote server.

----- Updated On March 25 th, 2011 ----

• MD5 - b531303c76329c6d836567a6c1399663
• SHA1 - 6090a4bbadee12dbb5faee90fc3f90da0518c5c7

• Avp - Trojan-Spy.Win32.Zbot.zxf
• Msmp - pws:win32/zbot.pg
• Nav - Infostealer.Banker.C
• Norman - W32/Zbot.GUB

• %WinDir%\system32\sdra64.exe [ detected as Generic PWS.bfr ]
• %WinDir%\system32\lowsec\local.ds
• %WinDir%\system32\lowsec\user.ds.lll
• %WinDir%\system32\lowsec\user.ds

And it connects to the whatismyip.com to know the victim’s computer IP address.

The Trojan updates itself using the below mentioned configuration file

• [removed]-up2date.cn/cfg.ini

• HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation
• HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\IETld
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld
• HKEY_USERS\.DEFAULT\Software\Microsoft\Protected Storage System Provider
• HKEY_USERS\.DEFAULT\Software\Microsoft\Protected Storage System Provider\S-1-5-18
• HKEY_USERS\S-1-5-19\Software\Microsoft\Protected Storage System Provider
• HKEY_USERS\S-1-5-19\Software\Microsoft\Protected Storage System Provider\S-1-5-19
• HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\BrowserEmulation
• HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\IETld
• HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
• HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld
• HKEY_USERS\S-1-5-18\Software\Microsoft\Protected Storage System Provider
• HKEY_USERS\S-1-5-18\Software\Microsoft\Protected Storage System Provider\S-1-5-18

The following registry values have been added

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\
  UID = "ComputerName_0045781E"
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\
  EnableFirewall = 0x00000000
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\
  EnableFirewall = 0x00000000

The Trojan disables the firewall settings

• HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation\
  TLDUpdates = 0x00000001
• HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\IETld\
  IETldDllVersionHigh = 0x00080000
  IETldDllVersionLow = 0x177149EB
  IETldVersionHigh = 0x00000001
  IETldVersionLow = 0x00000003
  StaleIETldCache = 0x00000001
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}\
  {3039636B-5F3D-6C64-6675-696870667265} = F7 09 F2 0D
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}\
  {33373039-3132-3864-6B30-303233343434} = 47 09 F2 0D
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\
  CachePath = "%USERPROFILE%\IETldCache"
  CachePrefix = "ietld:"
  CacheLimit = 0x00002000
  CacheOptions = 0x00000009
  CacheRepair = 0x00000000
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
  AutoDetect = 0x00000000
• HKEY_USERS\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Network\
  UID = " ComputerName_00457B79"
• HKEY_USERS\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Network\
  UID = " ComputerName_004579F3"
• HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\BrowserEmulation\
  TLDUpdates = 0x00000001
• HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\IETld\
  IETldDllVersionHigh = 0x00080000
  IETldDllVersionLow = 0x177149EB
  IETldVersionHigh = 0x00000001
  IETldVersionLow = 0x00000003
  StaleIETldCache = 0x00000001
• HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}\
  {3039636B-5F3D-6C64-6675-696870667265} = F7 09 F2 0D
• HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}\
  {33373039-3132-3864-6B30-303233343434} = 47 09 F2 0D
• HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\
  CachePath = "%USERPROFILE%\IETldCache"
  CachePrefix = "ietld:"
  CacheLimit = 0x00002000
  CacheOptions = 0x00000009
  CacheRepair = 0x00000000
• HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
  AutoDetect = 0x00000000

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
  Userinit = "%WinDir%\system32\userinit.exe,%WinDir%\system32\sdra64.exe,"

The above registry entry confirms that, the Trojan executes every time when windows startsThe following folders have been added

• %WinDir%\system32\config\systemprofile\IETldCache
• %WinDir% \system32\lowsec

%WinDir% = C:\WINDOWS ]

---------

Some variants have been discovered that can infect other files. The infected code includes a random domain generating algorithm.

A new variant of the Zbot malware family is seen being spammed. This update provides specific characteristics of this variant.

PWS-Zbot may have any of the following filenames. It is highly recommended that they are blocked at e-mail gateways and firewalls.

• fun bunch summer 2010.exe
• invite.exe
• resume.exe
• banquet invitations.exe
• car loan.exe
• cv july '10 finals.exe
• edmc application 2 07.exe
• f&r rehearsal.exe
• fun bunch summer 2010.exe
• labor distribution report.exe
• lance armstrong.exe
• morgan hunt.exe
• nh ess access guidelines.exe
• order_74hhdnsj3hex.exe
• online passport application for passport office.exe
• Allhotels.exe

Spammed emails may have the following as subjects:

• In USA on August 15 and 16
• Your reservation is confirmed - Ref: 12652/886645

Upon execution it creates a copy of itself with one of the following names:

• %WINDIR%\host32.exe
• %WINDIR%\system32.exe

These dropped files have a random amount of garbage added to its end, so their size may vary.

The following files are also created to store stolen information such as user keystrokes and web banking information.

• %WINDIR%\jh87uhnoe3\ewf32.nls
• %WINDIR%\jh87uhnoe3\ewfrvbb.nls

It modifies the following registry keys:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\host32.exe,"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32.exe,"

Creates the folowing registry keys:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network PID "%computername%"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\{61AE298E-1E2E-1083-BD89-63E91F7CB59D} = <4 bytes data>

It hooks several Windows functions (API), hiding the files mentioned above from a regular user's view.

It injects malicious code into the following processes in memory to monitor itself and restart in case any thread is removed or stopped by cleaning applications.

• lsass.exe
• services.exe
• Any process created after the infection

It lowers Internet Explorer security settings to allow any software to be executed in webpages without user knowledge. Please check the following link to understand the risk: http://support.microsoft.com/kb/182569

It opens a backdoor at a random and high numbered TCP port.

Some versions of this thread were observed to activate Windows Terminal Service daemon, and to patch the Microsoft Terminal Service DLL to disable authentication, opening the machine to any remote desktop client.

The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2009/01/21/airline_ticket_malware_scam/

The malicious program has the ability to steal login/password information from several services and program, including:

• FTP communication
• HTTP authentication
• HTTP cookies
• user digital certificates
• FTP clients configuration (FlashFXP, SmartFTP, WinSCP, Far Manager, WS_FTP, etc)
• can capture screenshots

It add or modify the following registry keys:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID = "MACHINE_NAME"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "%WINDIR%\system32\userinit.exe,%WINDIR%\system32\sdra64.exe,"
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\F710FA10-2031-3106-8872-93A2B5C5C620} = F7 09 F2 0D
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = 0x00000000

The program inject malicious code into the winlogon.exe and svchost.exe processes.

The Windows firewall is disabled.

The following files or directories are created:

• %WINDIR%\system32\lowsec\local.ds (data file)
• %WINDIR%\system32\lowsec\user.ds (data file)
• %WINDIR%\system32\lowsec\user.ds.lll (data file)
• %WINDIR%\system32\sdra64.exe (PWS-Zbot)
• %WINDIR%\system32\ntos.exe
• %WINDIR%\system32\wsnpoem\audio.dll
• %WINDIR%\system32\wsnpoem\video.dll
• %Root%\RECYCLER\S-1-5-21-4616592079-8080907928-828616482-2104
• Sysdate.exe
• Wuaclt.exe
• %Root%\Temp[random numeral]
• autorun.inf (in external drives)
• desktop.ini (in external drives)
• [Filename similar to valid Windows applications].exe

(Where %WINDIR refers to the directory where Windows is installed. For Windows XP, this usually means C:\Windows)

It creates a MUTEX named _AVIRA_2108 inside svchost.exe and _AVIRA_2109 inside winlogon.exe

The malware also listen for connections on a high TCP port. The following ports have been observed in this variant:

• TCP/21957
• TCP/16629

Contact may also be initiated with the following domains over UDP 11223:

• butterfly.[removed].biz
• butterfly.[removed].es
• qwertasdfg.[removed].es

It tries to download a configuration file from external site such as the following:

• hxxp://hiho[removed].com/httpd/loc.so

Some variants are observed to spread through removable drives by creating an autorun.inf file, which will then run the worm automatically if the system is set to Autorun.

Symptoms

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

But in some particular cases, the following steps need to be taken.

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

• Insert the Windows XP CD into the CD-ROM drive and restart the computer.
• When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
• Select the Windows installation that is compromised and provide the administrator password.
• Issue 'fixmbr' command to restore the Master Boot Record
• Follow onscreen instructions.
• Reset and remove the CD from CD-ROM drive.

On Windows Vista and 7:

• Insert the Windows CD into the CD-ROM drive and restart the computer.
• Click on "Repair Your Computer".
• When the System Recovery Options dialog comes up, choose the Command Prompt.
• Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
• Follow onscreen instructions.
• Reset and remove the CD from CD-ROM drive.

Variants

Variants

• Spy-Agent.bw

All Information

Overview -

PWS-Zbot is a Trojan that steals online banking credentials and eventually sends them to a remote server.

Aliases

• Zeus

Characteristics

Characteristics -

PWS-Zbot is a Trojan that steals online banking credentials and eventually sends them to a remote server.

----- Updated On March 25 th, 2011 ----

• MD5 - b531303c76329c6d836567a6c1399663
• SHA1 - 6090a4bbadee12dbb5faee90fc3f90da0518c5c7

• Avp - Trojan-Spy.Win32.Zbot.zxf
• Msmp - pws:win32/zbot.pg
• Nav - Infostealer.Banker.C
• Norman - W32/Zbot.GUB

• %WinDir%\system32\sdra64.exe [ detected as Generic PWS.bfr ]
• %WinDir%\system32\lowsec\local.ds
• %WinDir%\system32\lowsec\user.ds.lll
• %WinDir%\system32\lowsec\user.ds

And it connects to the whatismyip.com to know the victim’s computer IP address.

The Trojan updates itself using the below mentioned configuration file

• [removed]-up2date.cn/cfg.ini

• HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation
• HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\IETld
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld
• HKEY_USERS\.DEFAULT\Software\Microsoft\Protected Storage System Provider
• HKEY_USERS\.DEFAULT\Software\Microsoft\Protected Storage System Provider\S-1-5-18
• HKEY_USERS\S-1-5-19\Software\Microsoft\Protected Storage System Provider
• HKEY_USERS\S-1-5-19\Software\Microsoft\Protected Storage System Provider\S-1-5-19
• HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\BrowserEmulation
• HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\IETld
• HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
• HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld
• HKEY_USERS\S-1-5-18\Software\Microsoft\Protected Storage System Provider
• HKEY_USERS\S-1-5-18\Software\Microsoft\Protected Storage System Provider\S-1-5-18

The following registry values have been added

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\
  UID = "ComputerName_0045781E"
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\
  EnableFirewall = 0x00000000
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\
  EnableFirewall = 0x00000000

The Trojan disables the firewall settings

• HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation\
  TLDUpdates = 0x00000001
• HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\IETld\
  IETldDllVersionHigh = 0x00080000
  IETldDllVersionLow = 0x177149EB
  IETldVersionHigh = 0x00000001
  IETldVersionLow = 0x00000003
  StaleIETldCache = 0x00000001
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}\
  {3039636B-5F3D-6C64-6675-696870667265} = F7 09 F2 0D
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}\
  {33373039-3132-3864-6B30-303233343434} = 47 09 F2 0D
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\
  CachePath = "%USERPROFILE%\IETldCache"
  CachePrefix = "ietld:"
  CacheLimit = 0x00002000
  CacheOptions = 0x00000009
  CacheRepair = 0x00000000
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
  AutoDetect = 0x00000000
• HKEY_USERS\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Network\
  UID = " ComputerName_00457B79"
• HKEY_USERS\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Network\
  UID = " ComputerName_004579F3"
• HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\BrowserEmulation\
  TLDUpdates = 0x00000001
• HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\IETld\
  IETldDllVersionHigh = 0x00080000
  IETldDllVersionLow = 0x177149EB
  IETldVersionHigh = 0x00000001
  IETldVersionLow = 0x00000003
  StaleIETldCache = 0x00000001
• HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}\
  {3039636B-5F3D-6C64-6675-696870667265} = F7 09 F2 0D
• HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}\
  {33373039-3132-3864-6B30-303233343434} = 47 09 F2 0D
• HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\
  CachePath = "%USERPROFILE%\IETldCache"
  CachePrefix = "ietld:"
  CacheLimit = 0x00002000
  CacheOptions = 0x00000009
  CacheRepair = 0x00000000
• HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
  AutoDetect = 0x00000000

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
  Userinit = "%WinDir%\system32\userinit.exe,%WinDir%\system32\sdra64.exe,"

The above registry entry confirms that, the Trojan executes every time when windows startsThe following folders have been added

• %WinDir%\system32\config\systemprofile\IETldCache
• %WinDir% \system32\lowsec

%WinDir% = C:\WINDOWS ]

---------

Some variants have been discovered that can infect other files. The infected code includes a random domain generating algorithm.

A new variant of the Zbot malware family is seen being spammed. This update provides specific characteristics of this variant.

PWS-Zbot may have any of the following filenames. It is highly recommended that they are blocked at e-mail gateways and firewalls.

• fun bunch summer 2010.exe
• invite.exe
• resume.exe
• banquet invitations.exe
• car loan.exe
• cv july '10 finals.exe
• edmc application 2 07.exe
• f&r rehearsal.exe
• fun bunch summer 2010.exe
• labor distribution report.exe
• lance armstrong.exe
• morgan hunt.exe
• nh ess access guidelines.exe
• order_74hhdnsj3hex.exe
• online passport application for passport office.exe
• Allhotels.exe

Spammed emails may have the following as subjects:

• In USA on August 15 and 16
• Your reservation is confirmed - Ref: 12652/886645

Upon execution it creates a copy of itself with one of the following names:

• %WINDIR%\host32.exe
• %WINDIR%\system32.exe

These dropped files have a random amount of garbage added to its end, so their size may vary.

The following files are also created to store stolen information such as user keystrokes and web banking information.

• %WINDIR%\jh87uhnoe3\ewf32.nls
• %WINDIR%\jh87uhnoe3\ewfrvbb.nls

It modifies the following registry keys:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\host32.exe,"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32.exe,"

Creates the folowing registry keys:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network PID "%computername%"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\{61AE298E-1E2E-1083-BD89-63E91F7CB59D} = <4 bytes data>

It hooks several Windows functions (API), hiding the files mentioned above from a regular user's view.

It injects malicious code into the following processes in memory to monitor itself and restart in case any thread is removed or stopped by cleaning applications.

• lsass.exe
• services.exe
• Any process created after the infection

It lowers Internet Explorer security settings to allow any software to be executed in webpages without user knowledge. Please check the following link to understand the risk: http://support.microsoft.com/kb/182569

It opens a backdoor at a random and high numbered TCP port.

Some versions of this thread were observed to activate Windows Terminal Service daemon, and to patch the Microsoft Terminal Service DLL to disable authentication, opening the machine to any remote desktop client.

The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2009/01/21/airline_ticket_malware_scam/

The malicious program has the ability to steal login/password information from several services and program, including:

• FTP communication
• HTTP authentication
• HTTP cookies
• user digital certificates
• FTP clients configuration (FlashFXP, SmartFTP, WinSCP, Far Manager, WS_FTP, etc)
• can capture screenshots

It add or modify the following registry keys:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID = "MACHINE_NAME"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "%WINDIR%\system32\userinit.exe,%WINDIR%\system32\sdra64.exe,"
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\F710FA10-2031-3106-8872-93A2B5C5C620} = F7 09 F2 0D
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = 0x00000000

The program inject malicious code into the winlogon.exe and svchost.exe processes.

The Windows firewall is disabled.

The following files or directories are created:

• %WINDIR%\system32\lowsec\local.ds (data file)
• %WINDIR%\system32\lowsec\user.ds (data file)
• %WINDIR%\system32\lowsec\user.ds.lll (data file)
• %WINDIR%\system32\sdra64.exe (PWS-Zbot)
• %WINDIR%\system32\ntos.exe
• %WINDIR%\system32\wsnpoem\audio.dll
• %WINDIR%\system32\wsnpoem\video.dll
• %Root%\RECYCLER\S-1-5-21-4616592079-8080907928-828616482-2104
• Sysdate.exe
• Wuaclt.exe
• %Root%\Temp[random numeral]
• autorun.inf (in external drives)
• desktop.ini (in external drives)
• [Filename similar to valid Windows applications].exe

(Where %WINDIR refers to the directory where Windows is installed. For Windows XP, this usually means C:\Windows)

It creates a MUTEX named _AVIRA_2108 inside svchost.exe and _AVIRA_2109 inside winlogon.exe

The malware also listen for connections on a high TCP port. The following ports have been observed in this variant:

• TCP/21957
• TCP/16629

Contact may also be initiated with the following domains over UDP 11223:

• butterfly.[removed].biz
• butterfly.[removed].es
• qwertasdfg.[removed].es

It tries to download a configuration file from external site such as the following:

• hxxp://hiho[removed].com/httpd/loc.so

Some variants are observed to spread through removable drives by creating an autorun.inf file, which will then run the worm automatically if the system is set to Autorun.

Symptoms

Symptoms -

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

But in some particular cases, the following steps need to be taken.

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

• Insert the Windows XP CD into the CD-ROM drive and restart the computer.
• When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
• Select the Windows installation that is compromised and provide the administrator password.
• Issue 'fixmbr' command to restore the Master Boot Record
• Follow onscreen instructions.
• Reset and remove the CD from CD-ROM drive.

On Windows Vista and 7:

• Insert the Windows CD into the CD-ROM drive and restart the computer.
• Click on "Repair Your Computer".
• When the System Recovery Options dialog comes up, choose the Command Prompt.
• Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
• Follow onscreen instructions.
• Reset and remove the CD from CD-ROM drive.

Variants

Variants -

• Spy-Agent.bw