Win32/Spy.BZub [Threat Name] go to Threat

Win32/Spy.BZub.NAC [Threat Variant Name]

Category trojan
Size 80600 B
Detection created Aug 15, 2006
Detection database version 1707
Aliases Trojan-Spy.Win32.BZub.bs (Kaspersky)
  Spy-Agent.ak (McAfee)
  Infostealer.Bzup (Symantec)
Short description

Win32/Spy.BZub.NAC is a trojan that steals passwords and other sensitive information.

Installation

The following file is dropped into the %system% folder:

  • agent_dq.dll

It is a Browser Helper Object for Internet Explorer .


Size of the file is 60928 B .


The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­AppID\­{73364D99-1240-4dff-B11A-67E448373048}]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­CLSID\­{73364D99-1240-4dff-B11A-67E448373048}\­InprocServer32]
    • (Default) =  "%system%\­ipv6mons.dll"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­CLSID\­{73364D99-1240-4dff-B11A-67E448373048}\­InprocServer32]
    • "ThreadingModel" = "apartment"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­CLSID\­{73364D99-1240-4dff-B11A-67E448373048}\­InprocServer32]
    • "Enable Browser Extensions" = "yes"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "C:\­Program Files\­Internet Explorer\­IEXPLORE.EXE" = "C:\­Program Files\­Internet Explorer\­IEXPLORE.EXE:*:Enabled:Internet Explorer
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Control Panel\­loadnet_insll]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Control Panel\­load\­worg]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Control Panel\­load\­cmpid]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Control Panel\­load\­forwas]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Control Panel\­load\­h]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Control Panel\­load\­nw]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Control Panel\­load\­wspopp]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­browser helper obJects\­{73364D99-1240-4dff-B11A-67E448373048}]
Information stealing

The trojan collects various information when Internet Explorer is being used to access the following sites:

  • app/ueberweisung.input.do
  • app/ueberweisung.prep.do
  • banking.postbank.de
  • banking.postbank.de/app/finanzstatus.reduziert.init.do
  • banking.postbank.de/app/kontoumsatz.umsatz.init.do
  • banking.postbank.de/app/legitimation.input.do
  • banking.postbank.de/app/ueberweisung.quittung.do
  • e-gold.com/acct/acct.asp
  • https://*.netbank.commbank.com.au/netbank/bankmain
  • https://banking.postbank.de/app/finanzstatus.init.do
  • https://banking.postbank.de/app/kontoumsatz.umsatz.init.do
  • https://banking.postbank.de/app/welcome.do
  • https://signin.ebay*/ws/eBayISAPI.dll
  • postbank.de

Some information is found in local files too.


The following information is collected:

  • passwords
  • URLs visited
  • HTML forms content
  • computer name
  • computer IP address
  • Outlook Express account data
  • digital certificates

The data is saved in the %system% folder in the following files:

  • form.txt
  • info.txt
  • shot.html

The trojan can send the information to a remote machine.


The FTP protocol is used.

Other information

The trojan may attempt to delete all files on the C: drive and various program files.

Please enable Javascript to ensure correct displaying of this content and refresh this page.