Content
PWS-Zbot
- Type
- Trojan
- SubType
- Password Stealer
- Discovery Date
- 12/19/2007
- Length
- varies
- Minimum DAT
- 5189 (12/19/2007)
- Updated DAT
- 5795 (11/07/2009)
- Minimum Engine
- 5.1.00
- Description Added
- 12/19/2007
- Description Modified
- 09/28/2009 1:44 PM (PT)
Risk Assessment
- Corporate User
- Low-Profiled
- Home User
- Low-Profiled
Tab Navigation
Characteristics
PWS-Zbot is a Trojan that steals online banking credentials and eventually sends them to a remote server.
Upon execution, it drops the following files into the Windows system directory:
- %Windir%\%SYSDIR%\ntos.exe
- %Windir%\%SYSDIR%\wsnpoem\audio.dll
- %Windir%\%SYSDIR%\wsnpoem\video.dll
Adds the string “C:\%WINDIR%\system32\ntos.exe” to the “Userinit” value in the following registry key in order to run at Windows start up:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
The newly created Registry Values are:
o [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network]
+ UID = "%ComputerName%" (adds computer name)
o [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer]
+ {F710FA10-2031-3106-8872-93A2B5C5C620} = F7 09 F2 0D
o [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
+ ProxyEnable = 0x00000000
== Update September 28, 2009 ==
A new variant attempts to spread to removable drives by creating an autorun.inf file, which will then run the worm automatically if a system which uses the removable drive is set to Autorun.
Upon execution, the following directory is created:
o %Root%\RECYCLER\S-1-5-21-4616592079-8080907928-828616482-2104
A copy of the worm is dropped into this directory, along with a Desktop.ini file. The copy is named similar to a file that Windows would use. These may include:
- Sysdate.exe
- Wuaclt.exe
The following value/data pair is also added:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Taskman"
Data: %Root%\RECYCLER\S-1-5-21-4616592079-8080907928-828616482-2104\[Filename].exe
Removable devices that become infected may exhibit the following behavior.
The following file is added to the root of the drive:
- Autorun.inf
A folder is created with a directory name similar to the below:
- %Root%\Temp[random numeral]
Within this directory, the following files may be added:
- Dekstop.ini
- [Filename similar to valid Windows applications].exe
Contact may also be initiated with the following domains over UDP 11223:
- butterfly.[removed].biz
- butterfly.[removed].es
- qwertasdfg.[removed].es
All the while, the worm is injected into explorer.exe.
Symptoms
Method of Infection
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.
Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
-- January 21, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2009/01/21/airline_ticket_malware_scam/
--
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
Characteristics
Characteristics -
PWS-Zbot is a Trojan that steals online banking credentials and eventually sends them to a remote server.
Upon execution, it drops the following files into the Windows system directory:
- %Windir%\%SYSDIR%\ntos.exe
- %Windir%\%SYSDIR%\wsnpoem\audio.dll
- %Windir%\%SYSDIR%\wsnpoem\video.dll
Adds the string “C:\%WINDIR%\system32\ntos.exe” to the “Userinit” value in the following registry key in order to run at Windows start up:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
The newly created Registry Values are:
o [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network]
+ UID = "%ComputerName%" (adds computer name)
o [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer]
+ {F710FA10-2031-3106-8872-93A2B5C5C620} = F7 09 F2 0D
o [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
+ ProxyEnable = 0x00000000
== Update September 28, 2009 ==
A new variant attempts to spread to removable drives by creating an autorun.inf file, which will then run the worm automatically if a system which uses the removable drive is set to Autorun.
Upon execution, the following directory is created:
o %Root%\RECYCLER\S-1-5-21-4616592079-8080907928-828616482-2104
A copy of the worm is dropped into this directory, along with a Desktop.ini file. The copy is named similar to a file that Windows would use. These may include:
- Sysdate.exe
- Wuaclt.exe
The following value/data pair is also added:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Taskman"
Data: %Root%\RECYCLER\S-1-5-21-4616592079-8080907928-828616482-2104\[Filename].exe
Removable devices that become infected may exhibit the following behavior.
The following file is added to the root of the drive:
- Autorun.inf
A folder is created with a directory name similar to the below:
- %Root%\Temp[random numeral]
Within this directory, the following files may be added:
- Dekstop.ini
- [Filename similar to valid Windows applications].exe
Contact may also be initiated with the following domains over UDP 11223:
- butterfly.[removed].biz
- butterfly.[removed].es
- qwertasdfg.[removed].es
All the while, the worm is injected into explorer.exe.
Symptoms
Symptoms -
Method of Infection
Method of Infection -
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.
Removal -
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A