Content
PWS-Zbot
- Type
- Trojan
- SubType
- Password Stealer
- Discovery Date
- 12/19/2007
- Length
- varies
- Minimum DAT
- 5189 (12/19/2007)
- Updated DAT
- 6058 (07/29/2010)
- Minimum Engine
- 5.1.00
- Description Added
- 12/19/2007
- Description Modified
- 05/18/2010 2:57 PM (PT)
Risk Assessment
- Corporate User
- Low-Profiled
- Home User
- Low-Profiled
Tab Navigation
Characteristics
-- Update May 18, 2010 --
A new variant of this threat is being used to steal login/password information from infected machines. This new variant shows the following behavior:
The malicious program has the ability to steal login/password information from several services and program, including:
- FTP communication
- HTTP authentication
- HTTP cookies
- user digital certificates
- FTP clients configuration (FlashFXP, SmartFTP, WinSCP, Far Manager, WS_FTP, etc)
- can capture screenshots
It drops a copy of itself in %WINDIR%\system32\sdra64.exe
It add or modify the following registry keys:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID = "MACHINE_NAME"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "%WINDIR%\system32\userinit.exe,%WINDIR%\system32\sdra64.exe,"
The program inject malicious code into the winlogon.exe and svchost.exe processes
The Windows firewall is disabled.
The following files are created, which contain encrypted version of data stolen from the user:
- %WINDIR%\system32\lowsec\local.ds
- %WINDIR%\system32\lowsec\user.ds
- %WINDIR%\system32\lowsec\user.ds.lll
It creates a MUTEX named _AVIRA_2108 inside svchost.exe and _AVIRA_2109 inside winlogon.exe
It tries to download the following page:
- hxxp://hiho[removed].com/httpd/loc.so
The malware also listen for connections on a high TCP port. The following ports have been observed in this variant:
- TCP/21957
- TCP/16629
-- Update February 18, 2010 --
A new variant of this threat is being used to steal financial information from infected machines. This new variant shows the following behavior:
The files and directories below were created:
- %WINDDIR%\system32\lowsec\local.ds (data file)
- %WINDDIR%\system32\lowsec\user.ds (data file)
- %WINDDIR%\system32\lowsec\user.ds.lll (data file)
- %WINDDIR%\system32\sdra64.exe (PWS-Zbot)
(Where %WINDIR refers to the directory where Windows is installed. For Windows XP, this usually means C:\Windows)
The malware inject its malicious code into the Winlogon.exe process. It also add the following registry key to run again after reboot:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "%WINDDIR%\system32\userinit.exe,%WINDDIR%\system32\sdra64.exe,"
- The Windows firewall is disabled.
The following key is created with the Windows name of the infected machine:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID = "MACHINE_NAME"
----------------
PWS-Zbot is a Trojan that steals online banking credentials and eventually sends them to a remote server.
Upon execution, it drops the following files into the Windows system directory:
- %Windir%\%SYSDIR%\ntos.exe
- %Windir%\%SYSDIR%\wsnpoem\audio.dll
- %Windir%\%SYSDIR%\wsnpoem\video.dll
Adds the string “C:\%WINDIR%\system32\ntos.exe” to the “Userinit” value in the following registry key in order to run at Windows start up:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
The newly created Registry Values are:
o [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network]
+ UID = "%ComputerName%" (adds computer name)
o [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer]
+ {F710FA10-2031-3106-8872-93A2B5C5C620} = F7 09 F2 0D
o [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
+ ProxyEnable = 0x00000000
== Update September 28, 2009 ==
A new variant attempts to spread to removable drives by creating an autorun.inf file, which will then run the worm automatically if a system which uses the removable drive is set to Autorun.
Upon execution, the following directory is created:
o %Root%\RECYCLER\S-1-5-21-4616592079-8080907928-828616482-2104
A copy of the worm is dropped into this directory, along with a Desktop.ini file. The copy is named similar to a file that Windows would use. These may include:
- Sysdate.exe
- Wuaclt.exe
The following value/data pair is also added:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Taskman"
Data: %Root%\RECYCLER\S-1-5-21-4616592079-8080907928-828616482-2104\[Filename].exe
Removable devices that become infected may exhibit the following behavior.
The following file is added to the root of the drive:
- Autorun.inf
A folder is created with a directory name similar to the below:
- %Root%\Temp[random numeral]
Within this directory, the following files may be added:
- Dekstop.ini
- [Filename similar to valid Windows applications].exe
Contact may also be initiated with the following domains over UDP 11223:
- butterfly.[removed].biz
- butterfly.[removed].es
- qwertasdfg.[removed].es
All the while, the worm is injected into explorer.exe.
Symptoms
Method of Infection
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.
Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
-- January 21, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2009/01/21/airline_ticket_malware_scam/
--
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
Characteristics
Characteristics -
-- Update May 18, 2010 --
A new variant of this threat is being used to steal login/password information from infected machines. This new variant shows the following behavior:
The malicious program has the ability to steal login/password information from several services and program, including:
- FTP communication
- HTTP authentication
- HTTP cookies
- user digital certificates
- FTP clients configuration (FlashFXP, SmartFTP, WinSCP, Far Manager, WS_FTP, etc)
- can capture screenshots
It drops a copy of itself in %WINDIR%\system32\sdra64.exe
It add or modify the following registry keys:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID = "MACHINE_NAME"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "%WINDIR%\system32\userinit.exe,%WINDIR%\system32\sdra64.exe,"
The program inject malicious code into the winlogon.exe and svchost.exe processes
The Windows firewall is disabled.
The following files are created, which contain encrypted version of data stolen from the user:
- %WINDIR%\system32\lowsec\local.ds
- %WINDIR%\system32\lowsec\user.ds
- %WINDIR%\system32\lowsec\user.ds.lll
It creates a MUTEX named _AVIRA_2108 inside svchost.exe and _AVIRA_2109 inside winlogon.exe
It tries to download the following page:
- hxxp://hiho[removed].com/httpd/loc.so
The malware also listen for connections on a high TCP port. The following ports have been observed in this variant:
- TCP/21957
- TCP/16629
-- Update February 18, 2010 --
A new variant of this threat is being used to steal financial information from infected machines. This new variant shows the following behavior:
The files and directories below were created:
- %WINDDIR%\system32\lowsec\local.ds (data file)
- %WINDDIR%\system32\lowsec\user.ds (data file)
- %WINDDIR%\system32\lowsec\user.ds.lll (data file)
- %WINDDIR%\system32\sdra64.exe (PWS-Zbot)
(Where %WINDIR refers to the directory where Windows is installed. For Windows XP, this usually means C:\Windows)
The malware inject its malicious code into the Winlogon.exe process. It also add the following registry key to run again after reboot:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "%WINDDIR%\system32\userinit.exe,%WINDDIR%\system32\sdra64.exe,"
- The Windows firewall is disabled.
The following key is created with the Windows name of the infected machine:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID = "MACHINE_NAME"
----------------
PWS-Zbot is a Trojan that steals online banking credentials and eventually sends them to a remote server.
Upon execution, it drops the following files into the Windows system directory:
- %Windir%\%SYSDIR%\ntos.exe
- %Windir%\%SYSDIR%\wsnpoem\audio.dll
- %Windir%\%SYSDIR%\wsnpoem\video.dll
Adds the string “C:\%WINDIR%\system32\ntos.exe” to the “Userinit” value in the following registry key in order to run at Windows start up:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
The newly created Registry Values are:
o [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network]
+ UID = "%ComputerName%" (adds computer name)
o [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer]
+ {F710FA10-2031-3106-8872-93A2B5C5C620} = F7 09 F2 0D
o [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
+ ProxyEnable = 0x00000000
== Update September 28, 2009 ==
A new variant attempts to spread to removable drives by creating an autorun.inf file, which will then run the worm automatically if a system which uses the removable drive is set to Autorun.
Upon execution, the following directory is created:
o %Root%\RECYCLER\S-1-5-21-4616592079-8080907928-828616482-2104
A copy of the worm is dropped into this directory, along with a Desktop.ini file. The copy is named similar to a file that Windows would use. These may include:
- Sysdate.exe
- Wuaclt.exe
The following value/data pair is also added:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Taskman"
Data: %Root%\RECYCLER\S-1-5-21-4616592079-8080907928-828616482-2104\[Filename].exe
Removable devices that become infected may exhibit the following behavior.
The following file is added to the root of the drive:
- Autorun.inf
A folder is created with a directory name similar to the below:
- %Root%\Temp[random numeral]
Within this directory, the following files may be added:
- Dekstop.ini
- [Filename similar to valid Windows applications].exe
Contact may also be initiated with the following domains over UDP 11223:
- butterfly.[removed].biz
- butterfly.[removed].es
- qwertasdfg.[removed].es
All the while, the worm is injected into explorer.exe.
Symptoms
Symptoms -
Method of Infection
Method of Infection -
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.
Removal -
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A