Content

PWS-Zbot.gen.ab

Type
Trojan
SubType
Generic
Discovery Date
12/17/2009
Length
varies
Minimum DAT
5857 (01/10/2010)
Updated DAT
6548 (12/02/2011)
Minimum Engine
5.4.00
Description Added
12/17/2009
Description Modified
11/29/2011 7:41 PM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

------ Updated Nov 30, 2011 -----

Current variant have been observed to drop a copy of itself in:

  • %AppData%\KB00[random numbers].exe

It also creates a folder in %AppData%.

  • %AppData%\[random characters]

To automatically execute at startup it creates the following registry entry:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
     KB00[random numbers].exe = "%AppData%\KB00[random numbers].exe"                  

It also creates the following registry key:

  • Software\Microsoft\Windows Media Center\[random characters]

Note – [%AppData% - C:\Documents and Settings\[UserName]\Application Data]

It attempts to connect to the following sites to send and receive data and download additional malwares.

  • lavonoplanet.ru
  • hherbalessensess.ru
  • ultravioletdreammm.ru
  • sonvletnuunoch.ru

currently downloaded malwares is detected as Generic Downloader.z and it further downloads additional malwares dtected as Generic BackDoor.vd and Generic Backdoor.u

Downloaded malwares are stored in %Windows%/temp.

Note – [%Windows% - c:\Windows]

------ Updated Nov 17, 2011 -----

Aliases –
    • F-Secure - Trojan-Spy:W32/Zbot.
    • Microsoft - PWS:Win32/Zbot
    • Sophos - Troj/Agent-UBA
    • Symantec - Trojan.Zbot

Upon execution, the Trojan drops the following files

    • %AppData%\Elfyo\uhreux.exe
    • %AppData% \Hyym\byanpab.tmp

The following registry keys has been added

    • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Ukboo

The following registry value has been added

    • HKEY_USERS \S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Run\
      {4A72E50B-757A-7502-3A7B-C98493DCDFB1} = ""%AppData%\Elfyo\uhreux.exe""
    • HKEY_USERS \S-1-5-[varies]\Software\Microsoft\Ukboo\
      Nooccot = binary data

The above two registry entry confirms that, the Trojan executes every time when windows starts.

After execution, the Trojan deletes itself from the system

Also the Trojan creates the following folders to the system

    • %AppData%\Elfyo
    • %AppData%\Hyym

Note – [%AppData% - C:\Documents and Settings\[UserName]\Application Data]

---------

-- Update May 11, 2011 --

New variants have been observed in attachments of spoofed emails. These emails appear to come from Microsoft and are regarding Microsoft Patch Tuesday.

Upon execution, the trojan drops following files:

  • %UserProfile%\Application Data\Tuti\myynw.exe (PWS-Zbot.gen.ab)
  • %UserProfile%\Application Data\Upuhy\ekufq.tmp(binary data)
  • %UserProfile%\Application Data\Upuhy\ekufq.zoe (binary data)

Following registry keys are modified:

  • HKEY_CURRENT_USER\Software\Microsoft\Boylw
    "Roonbub" = (binary)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    "{20D67A25-FEC0-313C-0828-EB1A6CE61592}" = %UserProfile%\Application Data\Tuti\myynw.exe

It attempts to connect a following host:

  • visitortracker.[removed].nl

-- Update January 10, 2010--

 File Information

  • MD5  -  39EC0188CABD083C63835D0329CA211F
  • SHA  - BCD1E0ACB3DA729A553672CA8DBA668FF51147CD

Aliases

  • Ikarus         - Packed.Win32.Krap
  • NOD32       - a variant of Win32/Kryptik.IYD
  • Symantec    - Trojan.Zbot!gen15
  • Microsoft   - PWS:Win32/Zbot.gen!Y

When executed, the Trojan copies itself into the following location:

  • %UserProfile%\Start Menu\Programs\Startup\ifba.exe [Detected as PWS-Zbot.gen.ab]
  • %UserProfile%\Start Menu\Programs\Startup\tuohcu.exe [Detected as PWS-Zbot.gen.ab]
  • %UserProfile%\Start Menu\Programs\Startup\yzetf.exe [Detected as PWS-Zbot.gen.ab]
  • %UserProfile%\Start Menu\Programs\Startup\apyg.exe [Detected as PWS-Zbot.gen.ab]
  • %UserProfile%\Start Menu\Programs\Startup\ibola.exe [Detected as PWS-Zbot.gen.ab]
  • %UserProfile%\Start Menu\Programs\Startup\mixic.exe [Detected as PWS-Zbot.gen.ab]

And drops following files:

  • %UserProfile%\Local Settings\Application Data\Identities\{EBA1757B-EB14-4E48-8CE7-3AA790B4FB28}\Microsoft\Outlook Express\Folders.dbx
  • %UserProfile%\Local Settings\Application Data\Identities\{EBA1757B-EB14-4E48-8CE7-3AA790B4FB28}\Microsoft\Outlook Express\Inbox.dbx
  • %UserProfile%\Local Settings\Application Data\Identities\{EBA1757B-EB14-4E48-8CE7-3AA790B4FB28}\Microsoft\Outlook Express\Offline.dbx
  • %UserProfile%\Local Settings\Application Data\Identities\{EBA1757B-EB14-4E48-8CE7-3AA790B4FB28}\Microsoft\Outlook Express\Sent Items.dbx
  • %AppData%\Microsoft\Address Book\Administrator.wab
  • %AppData%\Microsoft\Address Book\Administrator.wab~
  • %AppData%\Ugyx\vori.tmp

The following registry keys have been added to the system.

  • HKEY_CURRENT_USER\S-1-(Varies)\Identities\EBA1757B-EB14-4E48-8CE7-3AA790B4FB28}\Software\Microsoft\Outlook Express\5.0\Mail
  • HKEY_CURRENT_USER\S-1-(Varies)\Identities\EBA1757B-EB14-4E48-8CE7-3AA790B4FB28}\Software\Microsoft\Outlook Express\5.0\News
  • HKEY_CURRENT_USER\S-1-(Varies)\Identities\EBA1757B-EB14-4E48-8CE7-3AA790B4FB28}\Software\Microsoft\Outlook Express\5.0\Rules
  • HKEY_CURRENT_USER\S-1-(Varies)\Identities\EBA1757B-EB14-4E48-8CE7-3AA790B4FB28}\Software\Microsoft\Outlook Express\5.0\Trident
  • HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Internet Explorer\Privacy
  • HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC
  • HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot
  • HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Internet Account Manager\Accounts\VeriSign
  • HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere
  • HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Unerr
  • HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\WAB

The following registry value has been added.

  • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Run\]
    “{1E2D2803-F1E8-7A2D-A097-4214038F05F9}” = ""%AppData%\Bial\ycud.exe""

The above mentioned registry ensures that, the Trojan registers run entry with the compromised system and execute itself upon every boot.

  • HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Internet Explorer\Privacy\CleanCookies: 0x00000000

The above mentioned registry ensures that, the Trojan disables the option for clearing the Internet Explorer cookies.

The following registry values have been modified.

  • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\]
    “1609” = “0x00000000”
  • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\]
    “1406” = “0x00000000”
  • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\]
    “1609” = “0x00000000”
  • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\]
    “1406” = “0x00000000”
  • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\]
    “1406” = “0x00000000”

The above mentioned registry entries ensure that, the Trojan disables Internet Explorer Internet security settings.

Also this Trojan may tries to steal the following sensitive information from the affected computer: 

  • certificates
  • IE cookies
  • cache passwords

[%UserProfile% is %UserProfile%\, %Temp% is %UserProfile%\Local Settings\Temp\ and %SystemDrive% is the drive where the Operating System is installed, in most cases it will be C:\]

----------------------------------------------------------------------------

-- Update July 9, 2010 --

File Information

  • MD5  -  B451FC4CDAD648C29AB88432C7E2EE4D
  • SHA  - 96C872BDBBD073CDC04A17FC956990C38913A8E0

Aliases

  • AVG         - Cryptic.AIP
  • Kaspersky - Trojan-Spy.Win32.Zbot.akwq
  • Microsoft   - PWS:Win32/Zbot.gen!Y
  • NOD32    - Win32/Spy.Zbot.YW

Upon execution the Trojan copies itself into the following location in Random names.

  • %USERPROFILE%\Start Menu\Programs\Startup\epmu.exe [Detected as PWS-Zbot.gen.ab]
  • %USERPROFILE%\Start Menu\Programs\Startup\kylu.exe [Detected as PWS-Zbot.gen.ab]
  • %USERPROFILE%\Start Menu\Programs\Startup\nuikf.exe [Detected as PWS-Zbot.gen.ab]
  • %USERPROFILE%\Start Menu\Programs\Startup\ocni.exe [Detected as PWS-Zbot.gen.ab]
  • %USERPROFILE%\Start Menu\Programs\Startup\zeryi.exe [Detected as PWS-Zbot.gen.ab]
  • %USERPROFILE%\Start Menu\Programs\Startup\enmo.exe [Detected as PWS-Zbot.gen.ab]
  • %USERPROFILE%\Start Menu\Programs\Startup\hodeeg.exe [Detected as PWS-Zbot.gen.ab]
  • %USERPROFILE%\Start Menu\Programs\Startup\ydur.exe [Detected as PWS-Zbot.gen.ab]
  • %USERPROFILE%\Start Menu\Programs\Startup\diit.exe [Detected as PWS-Zbot.gen.ab]

And drop the following files:

  • %USERPROFILE%\Application Data\Amnu\diozc.tmp
  • %Temp%\tmpe1ef3100.bat

The following registry key has been added to the system.

  • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Internet Explorer\Privacy]
  • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Gica]

The following registry value has been added.

  • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Internet Explorer\Privacy\]
    “CleanCookies” = “ 0x00000000”

The below mentioned registry ensures that, the malware binary registers itself with the compromised system and execute itself upon every boot.

  •  [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Run\]
    “{012F2CDD-D90E-7A2A-8AF9-ECEA0955AB07}” = ""%USERPROFILE%\Application Data\Uhvi\ibpoo.exe""

Also, this Trojan tries to inject into the following processess.

  • ctfmon.exe
  • rdpclip.exe
  • dwm.exe
  • wscntfy.exe
  • taskeng.exe
  • taskhost.exe
  • explorer.exe

 [%UserProfile% is c:\Documents and Settings\Administrator\, %Temp% is C:\Documents and Settings\Administrator\Local Settings\Temp\ and %SystemDrive% is the drive where the Operating System is installed, in most cases it will be C:\]

-----------------------------------------------------------------------------------------------------------------------------

-- Update January 10, 2010 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://isc.sans.org/diary.html?storyid=7918&rss
--

Upon execution malware drops the following files:
 
%system%\sdra64.exe -copy of itself
%system%\lowsec\local.ds - information files
%system%\lowsec\user.ds
%system%\lowsec\user.ds.lll

When the malware is succeed , It creates new  memory page in the address space of svchost process:

Svchost.exe

The following hidden directory is created:
%System%\lowsec

 

The following Registry Keys are created:
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{334613DB-50C1-B3BE-95ED-E9915A134FF1}
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{4776C4DC-E894-7C06-2148-5D73CEF5F905}
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Network "UID" "computer name_B4DF7611864C7708"
HKEY_USERS\.DEFAULT\Software\Microsoft\Protected Storage System Provider


The following Registry Values are modified:
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Userinit"
"C:\WINDOWS\system32\userinit.exe,"  " C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,"
 

There is an outbound traffic observed to the following remote server:

http://nekoxxx.ru/cbd/nexxxx.bri

Symptoms

    * The Trojan is running in the process list.
    * Presence of files and registry entries mentioned.
    * Network activity with servers mentioned above.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc.

Removal

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.

Variants

Variants

    N/A

All Information

Overview -

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

------ Updated Nov 30, 2011 -----

Current variant have been observed to drop a copy of itself in:

  • %AppData%\KB00[random numbers].exe

It also creates a folder in %AppData%.

  • %AppData%\[random characters]

To automatically execute at startup it creates the following registry entry:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
     KB00[random numbers].exe = "%AppData%\KB00[random numbers].exe"                  

It also creates the following registry key:

  • Software\Microsoft\Windows Media Center\[random characters]

Note – [%AppData% - C:\Documents and Settings\[UserName]\Application Data]

It attempts to connect to the following sites to send and receive data and download additional malwares.

  • lavonoplanet.ru
  • hherbalessensess.ru
  • ultravioletdreammm.ru
  • sonvletnuunoch.ru

currently downloaded malwares is detected as Generic Downloader.z and it further downloads additional malwares dtected as Generic BackDoor.vd and Generic Backdoor.u

Downloaded malwares are stored in %Windows%/temp.

Note – [%Windows% - c:\Windows]

------ Updated Nov 17, 2011 -----

Aliases –
    • F-Secure - Trojan-Spy:W32/Zbot.
    • Microsoft - PWS:Win32/Zbot
    • Sophos - Troj/Agent-UBA
    • Symantec - Trojan.Zbot

Upon execution, the Trojan drops the following files

    • %AppData%\Elfyo\uhreux.exe
    • %AppData% \Hyym\byanpab.tmp

The following registry keys has been added

    • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Ukboo

The following registry value has been added

    • HKEY_USERS \S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Run\
      {4A72E50B-757A-7502-3A7B-C98493DCDFB1} = ""%AppData%\Elfyo\uhreux.exe""
    • HKEY_USERS \S-1-5-[varies]\Software\Microsoft\Ukboo\
      Nooccot = binary data

The above two registry entry confirms that, the Trojan executes every time when windows starts.

After execution, the Trojan deletes itself from the system

Also the Trojan creates the following folders to the system

    • %AppData%\Elfyo
    • %AppData%\Hyym

Note – [%AppData% - C:\Documents and Settings\[UserName]\Application Data]

---------

-- Update May 11, 2011 --

New variants have been observed in attachments of spoofed emails. These emails appear to come from Microsoft and are regarding Microsoft Patch Tuesday.

Upon execution, the trojan drops following files:

  • %UserProfile%\Application Data\Tuti\myynw.exe (PWS-Zbot.gen.ab)
  • %UserProfile%\Application Data\Upuhy\ekufq.tmp(binary data)
  • %UserProfile%\Application Data\Upuhy\ekufq.zoe (binary data)

Following registry keys are modified:

  • HKEY_CURRENT_USER\Software\Microsoft\Boylw
    "Roonbub" = (binary)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    "{20D67A25-FEC0-313C-0828-EB1A6CE61592}" = %UserProfile%\Application Data\Tuti\myynw.exe

It attempts to connect a following host:

  • visitortracker.[removed].nl

-- Update January 10, 2010--

 File Information

  • MD5  -  39EC0188CABD083C63835D0329CA211F
  • SHA  - BCD1E0ACB3DA729A553672CA8DBA668FF51147CD

Aliases

  • Ikarus         - Packed.Win32.Krap
  • NOD32       - a variant of Win32/Kryptik.IYD
  • Symantec    - Trojan.Zbot!gen15
  • Microsoft   - PWS:Win32/Zbot.gen!Y

When executed, the Trojan copies itself into the following location:

  • %UserProfile%\Start Menu\Programs\Startup\ifba.exe [Detected as PWS-Zbot.gen.ab]
  • %UserProfile%\Start Menu\Programs\Startup\tuohcu.exe [Detected as PWS-Zbot.gen.ab]
  • %UserProfile%\Start Menu\Programs\Startup\yzetf.exe [Detected as PWS-Zbot.gen.ab]
  • %UserProfile%\Start Menu\Programs\Startup\apyg.exe [Detected as PWS-Zbot.gen.ab]
  • %UserProfile%\Start Menu\Programs\Startup\ibola.exe [Detected as PWS-Zbot.gen.ab]
  • %UserProfile%\Start Menu\Programs\Startup\mixic.exe [Detected as PWS-Zbot.gen.ab]

And drops following files:

  • %UserProfile%\Local Settings\Application Data\Identities\{EBA1757B-EB14-4E48-8CE7-3AA790B4FB28}\Microsoft\Outlook Express\Folders.dbx
  • %UserProfile%\Local Settings\Application Data\Identities\{EBA1757B-EB14-4E48-8CE7-3AA790B4FB28}\Microsoft\Outlook Express\Inbox.dbx
  • %UserProfile%\Local Settings\Application Data\Identities\{EBA1757B-EB14-4E48-8CE7-3AA790B4FB28}\Microsoft\Outlook Express\Offline.dbx
  • %UserProfile%\Local Settings\Application Data\Identities\{EBA1757B-EB14-4E48-8CE7-3AA790B4FB28}\Microsoft\Outlook Express\Sent Items.dbx
  • %AppData%\Microsoft\Address Book\Administrator.wab
  • %AppData%\Microsoft\Address Book\Administrator.wab~
  • %AppData%\Ugyx\vori.tmp

The following registry keys have been added to the system.

  • HKEY_CURRENT_USER\S-1-(Varies)\Identities\EBA1757B-EB14-4E48-8CE7-3AA790B4FB28}\Software\Microsoft\Outlook Express\5.0\Mail
  • HKEY_CURRENT_USER\S-1-(Varies)\Identities\EBA1757B-EB14-4E48-8CE7-3AA790B4FB28}\Software\Microsoft\Outlook Express\5.0\News
  • HKEY_CURRENT_USER\S-1-(Varies)\Identities\EBA1757B-EB14-4E48-8CE7-3AA790B4FB28}\Software\Microsoft\Outlook Express\5.0\Rules
  • HKEY_CURRENT_USER\S-1-(Varies)\Identities\EBA1757B-EB14-4E48-8CE7-3AA790B4FB28}\Software\Microsoft\Outlook Express\5.0\Trident
  • HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Internet Explorer\Privacy
  • HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC
  • HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot
  • HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Internet Account Manager\Accounts\VeriSign
  • HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere
  • HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Unerr
  • HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\WAB

The following registry value has been added.

  • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Run\]
    “{1E2D2803-F1E8-7A2D-A097-4214038F05F9}” = ""%AppData%\Bial\ycud.exe""

The above mentioned registry ensures that, the Trojan registers run entry with the compromised system and execute itself upon every boot.

  • HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Internet Explorer\Privacy\CleanCookies: 0x00000000

The above mentioned registry ensures that, the Trojan disables the option for clearing the Internet Explorer cookies.

The following registry values have been modified.

  • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\]
    “1609” = “0x00000000”
  • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\]
    “1406” = “0x00000000”
  • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\]
    “1609” = “0x00000000”
  • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\]
    “1406” = “0x00000000”
  • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\]
    “1406” = “0x00000000”

The above mentioned registry entries ensure that, the Trojan disables Internet Explorer Internet security settings.

Also this Trojan may tries to steal the following sensitive information from the affected computer: 

  • certificates
  • IE cookies
  • cache passwords

[%UserProfile% is %UserProfile%\, %Temp% is %UserProfile%\Local Settings\Temp\ and %SystemDrive% is the drive where the Operating System is installed, in most cases it will be C:\]

----------------------------------------------------------------------------

-- Update July 9, 2010 --

File Information

  • MD5  -  B451FC4CDAD648C29AB88432C7E2EE4D
  • SHA  - 96C872BDBBD073CDC04A17FC956990C38913A8E0

Aliases

  • AVG         - Cryptic.AIP
  • Kaspersky - Trojan-Spy.Win32.Zbot.akwq
  • Microsoft   - PWS:Win32/Zbot.gen!Y
  • NOD32    - Win32/Spy.Zbot.YW

Upon execution the Trojan copies itself into the following location in Random names.

  • %USERPROFILE%\Start Menu\Programs\Startup\epmu.exe [Detected as PWS-Zbot.gen.ab]
  • %USERPROFILE%\Start Menu\Programs\Startup\kylu.exe [Detected as PWS-Zbot.gen.ab]
  • %USERPROFILE%\Start Menu\Programs\Startup\nuikf.exe [Detected as PWS-Zbot.gen.ab]
  • %USERPROFILE%\Start Menu\Programs\Startup\ocni.exe [Detected as PWS-Zbot.gen.ab]
  • %USERPROFILE%\Start Menu\Programs\Startup\zeryi.exe [Detected as PWS-Zbot.gen.ab]
  • %USERPROFILE%\Start Menu\Programs\Startup\enmo.exe [Detected as PWS-Zbot.gen.ab]
  • %USERPROFILE%\Start Menu\Programs\Startup\hodeeg.exe [Detected as PWS-Zbot.gen.ab]
  • %USERPROFILE%\Start Menu\Programs\Startup\ydur.exe [Detected as PWS-Zbot.gen.ab]
  • %USERPROFILE%\Start Menu\Programs\Startup\diit.exe [Detected as PWS-Zbot.gen.ab]

And drop the following files:

  • %USERPROFILE%\Application Data\Amnu\diozc.tmp
  • %Temp%\tmpe1ef3100.bat

The following registry key has been added to the system.

  • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Internet Explorer\Privacy]
  • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Gica]

The following registry value has been added.

  • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Internet Explorer\Privacy\]
    “CleanCookies” = “ 0x00000000”

The below mentioned registry ensures that, the malware binary registers itself with the compromised system and execute itself upon every boot.

  •  [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Run\]
    “{012F2CDD-D90E-7A2A-8AF9-ECEA0955AB07}” = ""%USERPROFILE%\Application Data\Uhvi\ibpoo.exe""

Also, this Trojan tries to inject into the following processess.

  • ctfmon.exe
  • rdpclip.exe
  • dwm.exe
  • wscntfy.exe
  • taskeng.exe
  • taskhost.exe
  • explorer.exe

 [%UserProfile% is c:\Documents and Settings\Administrator\, %Temp% is C:\Documents and Settings\Administrator\Local Settings\Temp\ and %SystemDrive% is the drive where the Operating System is installed, in most cases it will be C:\]

-----------------------------------------------------------------------------------------------------------------------------

-- Update January 10, 2010 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://isc.sans.org/diary.html?storyid=7918&rss
--

Upon execution malware drops the following files:
 
%system%\sdra64.exe -copy of itself
%system%\lowsec\local.ds - information files
%system%\lowsec\user.ds
%system%\lowsec\user.ds.lll

When the malware is succeed , It creates new  memory page in the address space of svchost process:

Svchost.exe

The following hidden directory is created:
%System%\lowsec

 

The following Registry Keys are created:
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{334613DB-50C1-B3BE-95ED-E9915A134FF1}
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{4776C4DC-E894-7C06-2148-5D73CEF5F905}
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Network "UID" "computer name_B4DF7611864C7708"
HKEY_USERS\.DEFAULT\Software\Microsoft\Protected Storage System Provider


The following Registry Values are modified:
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Userinit"
"C:\WINDOWS\system32\userinit.exe,"  " C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,"
 

There is an outbound traffic observed to the following remote server:

http://nekoxxx.ru/cbd/nexxxx.bri

Symptoms

Symptoms -

    * The Trojan is running in the process list.
    * Presence of files and registry entries mentioned.
    * Network activity with servers mentioned above.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc.

Removal -

Removal -

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.

Variants

Variants -

    N/A