McAfee > Theat Center > Virus Detail Page

Overview

--

This detection is for a spy trojan which upon running on the victim’s machine, may be used to upload stolen information to a pre-configured website.

The characteristics of this trojan with regards to file names, sites accessed, files downloaded, etc. can differ from one version to another, depending on the way in which the attacker had configured it. Therefore, this is a general description.

Aliases

• Infostealer.Banker.C [Symantec]

• PWS:Win32/Zbot.gen!R [Microsoft]

• Trojan.Generic.2436384 [BitDefender]

• TSPY_ZBOT.SMC [TrendMicro]

Characteristics

When executed, some samples of this trojan drops the following files:

• %System%\sdra64.exe [Copy of Trojan]
• %System%\lowsec\local.ds [Data File]
• %System%\lowsec\user.ds [Data File]
• %System%\lowsec\user.ds.lll [Data File]

(note: %System% refers to the System folder. In a Windows XP machine, this should by default refer to the "C:\Windows\System32" folder.)

The trojan also modifies the following registry values to run at windows startup:

• [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
  Userinit = "%System%\userinit.exe,%System%\sdra64.exe,"

It injects malicious codes to several processes and hooks several API to hide itself and monitor users activity.

It connects to remote server to update itself and send gathered information such as banking transactions.

Attempts to connect to the domain:

• kievsk.com

At the time of writing the said domain is not available.

Symptoms

• Presence of files and registry entries mentioned
• Network activity with servers mentioned above

Method of Infection

Trojans are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system.

Many of these are mass spammed by the author to entice people into double-clicking on them.

Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Password Stealer onto the user's system with no user interaction.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

-- Update September 28, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.computerworld.com/s/article/9138527/IRS_scam_now_world_s_biggest_e_mail_virus_problem?source=rss_news

--

This detection is for a spy trojan which upon running on the victim’s machine, may be used to upload stolen information to a pre-configured website.

The characteristics of this trojan with regards to file names, sites accessed, files downloaded, etc. can differ from one version to another, depending on the way in which the attacker had configured it. Therefore, this is a general description.

Aliases

• Infostealer.Banker.C [Symantec]

• PWS:Win32/Zbot.gen!R [Microsoft]

• Trojan.Generic.2436384 [BitDefender]

• TSPY_ZBOT.SMC [TrendMicro]

Characteristics

Characteristics -

When executed, some samples of this trojan drops the following files:

• %System%\sdra64.exe [Copy of Trojan]
• %System%\lowsec\local.ds [Data File]
• %System%\lowsec\user.ds [Data File]
• %System%\lowsec\user.ds.lll [Data File]

(note: %System% refers to the System folder. In a Windows XP machine, this should by default refer to the "C:\Windows\System32" folder.)

The trojan also modifies the following registry values to run at windows startup:

• [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
  Userinit = "%System%\userinit.exe,%System%\sdra64.exe,"

It injects malicious codes to several processes and hooks several API to hide itself and monitor users activity.

It connects to remote server to update itself and send gathered information such as banking transactions.

Attempts to connect to the domain:

• kievsk.com

At the time of writing the said domain is not available.

Symptoms

Symptoms -

• Presence of files and registry entries mentioned
• Network activity with servers mentioned above

Method of Infection

Method of Infection -

Trojans are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system.

Many of these are mass spammed by the author to entice people into double-clicking on them.

Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Password Stealer onto the user's system with no user interaction.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A