Content

PWS-Zbot.gen.v

Type
Trojan
SubType
-
Discovery Date
11/13/2009
Length
Minimum DAT
5797 (11/09/2009)
Updated DAT
5802 (11/14/2009)
Minimum Engine
5.1.00
Description Added
11/13/2009
Description Modified
12/14/2009 4:05 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

When executed the malware binary modifies the following registry entries.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon]
"Userinit" = "C:\WINDOWS\system32\userinit.exe, C:\WINDOWS\system32\sdra64.exe"

The above mentioned registry entries confirms that, the malware binary hooks itself to winlogon.exe and userinit.exe which is legitimate windows application and hides itself from the compromised user and it also ensures that the malware is executed every time the system boots.

The following files have been added to the compromised system:

  • %SysDir%\lowsec\local.ds
  • %SysDir%\lowsec\user.ds
  • %SysDir%\lowsec\user.ds.lll
  • %SysDir%\sdra64.exe

File Name "sdra64.exe" is nothing but the copy of the malware binary.

The following folder was added to the system:

1. %SysDir%\lowsec

Upon Execution malware binary copies itself to system folder and connects to the following IP address.

http://193.104.[removed].42

Once the user system is compromised it looks for the bank details and other financial passwords which is saved in the user system and sends that information to the remote site. So, basically the main purpose of this malware binary is to steal passwords from the compromised system.

This malware binary will specifically look to steal bank password related information and send those information to the attacker.

The following behaviors were seen with this particular version of the PWS-Zbot.gen.v:

  • Drops a copy of itself in the %SysDir% folder
  • Injects code into system processes (winlogon.exe, userinit.exe)
  • Targets sensitive information such as online banking transactions
  • Attempts to retrieve a newer version of itself remotely
  • Posts stolen information to a remote site

These are the defaults for typical path variables. (Although they may differ, these are common examples):


%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000) %SysDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000) %ProgramFiles% = \Program Files

 

Symptoms

  • The Trojan is running in the process list.
  • Presence of files and registry entries mentioned.
  • Network activity with servers mentioned above.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a Trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

File information :
  • MD5: 063CA9027D6373CA00EB2B95D2836975
  • SHA: CC80B11F2195C747BDFDE06340D04A52D6DC6D3D
  • File Size: 123904 bytes

Aliases :

Microsoft - PWS:Win32/Zbot.gen!R

Symantec - Trojan.Zbot!gen2

Characteristics

Characteristics -

When executed the malware binary modifies the following registry entries.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon]
"Userinit" = "C:\WINDOWS\system32\userinit.exe, C:\WINDOWS\system32\sdra64.exe"

The above mentioned registry entries confirms that, the malware binary hooks itself to winlogon.exe and userinit.exe which is legitimate windows application and hides itself from the compromised user and it also ensures that the malware is executed every time the system boots.

The following files have been added to the compromised system:

  • %SysDir%\lowsec\local.ds
  • %SysDir%\lowsec\user.ds
  • %SysDir%\lowsec\user.ds.lll
  • %SysDir%\sdra64.exe

File Name "sdra64.exe" is nothing but the copy of the malware binary.

The following folder was added to the system:

1. %SysDir%\lowsec

Upon Execution malware binary copies itself to system folder and connects to the following IP address.

http://193.104.[removed].42

Once the user system is compromised it looks for the bank details and other financial passwords which is saved in the user system and sends that information to the remote site. So, basically the main purpose of this malware binary is to steal passwords from the compromised system.

This malware binary will specifically look to steal bank password related information and send those information to the attacker.

The following behaviors were seen with this particular version of the PWS-Zbot.gen.v:

  • Drops a copy of itself in the %SysDir% folder
  • Injects code into system processes (winlogon.exe, userinit.exe)
  • Targets sensitive information such as online banking transactions
  • Attempts to retrieve a newer version of itself remotely
  • Posts stolen information to a remote site

These are the defaults for typical path variables. (Although they may differ, these are common examples):


%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000) %SysDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000) %ProgramFiles% = \Program Files

 

Symptoms

Symptoms -

  • The Trojan is running in the process list.
  • Presence of files and registry entries mentioned.
  • Network activity with servers mentioned above.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A