Win32/Spy.Zbot [Threat Name] go to Threat

Win32/Spy.Zbot.ABV [Threat Variant Name]

Category trojan
Size 308736 B
Detection created Jun 10, 2014
Detection database version 10001
Aliases Win32:Malware-gen (Avast)
  Crypt4.AIIR.trojan (AVG)
  TR/Crypt.EPACK.34007 (Avira)
  Trojan.GenericKD.2426015 (BitDefender)
  Trojan-Spy.Win32.Zbot.kyc (Kaspersky)
  Trojan:Win32/Dynamer!ac (Microsoft)
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

When executed, the trojan copies itself into the

  • %appdata%\­%subfolders%\­

folder using a filename of a file already present in the folder.


The following files are dropped in the same folder:

  • %variable1%.dat
  • %variable2%.%variable3%

A string with variable content is used instead of %variable1-3% .


The name of the file may be based on the name of an existing file or folder.


This copy of the trojan is then executed.


The trojan may create copies of itself in the folder:

  • %userprofile%\­AppData\­LocalLow\­

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­Currentversion\­Run]
    • "%chosenfilename%.exe" = "%appdata%\­%subfolders%\­%chosenfilename%.exe"

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­0]
    • "1406" = 0
    • "1609" = 0
    • "1A02" = 0
    • "1A03" = 0
    • "1A05" = 0
    • "1A06" = 0
    • "1A10" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­1]
    • "1406" = 0
    • "1609" = 0
    • "1A02" = 0
    • "1A03" = 0
    • "1A05" = 0
    • "1A06" = 0
    • "1A10" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­2]
    • "1406" = 0
    • "1609" = 0
    • "1A02" = 0
    • "1A03" = 0
    • "1A05" = 0
    • "1A06" = 0
    • "1A10" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­3]
    • "1406" = 0
    • "1609" = 0
    • "1A02" = 0
    • "1A03" = 0
    • "1A05" = 0
    • "1A06" = 0
    • "1A10" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­4]
    • "1406" = 0
    • "1609" = 0
    • "1A02" = 0
    • "1A03" = 0
    • "1A05" = 0
    • "1A06" = 0
    • "1A10" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings]
    • "WarnonBadCertRecving" = 0
    • "EnableSPDY3_0" = 0

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%system%\­taskeng.exe" = "%system%\­taskeng.exe:*:Enabled:Task Scheduler Engine"
    • "%system%\­taskhost.exe" = "%system%\­taskhost.exe:*:Enabled:Host Process for Windows Tasks"
    • "%system%\­taskhostex.exe" = "%system%\­taskhostex.exe:*:Enabled:Host Process for Windows Tasks"
    • "%windir%\­explorer.exe" = "%windir%\­explorer.exe:*:Enabled:Windows Explorer"
    • "%systemx86%\­explorer.exe" = "%systemx86%\­explorer.exe:*:Enabled:Windows Explorer"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main]
    • "Start Page" = "%variable%"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­PhishingFilter]
    • "Enabled" = 0
    • "EnabledV8" = 0
    • "EnabledV9" = 0

A string with variable content is used instead of %variable3% .


By adding an exception in Windows Firewall settings, the trojan ensures that it is not blocked.


The trojan executes the following files:

  • %systemx86%\­explorer.exe

The trojan creates and runs a new thread with its own code within these running processes.


The trojan creates and runs a new thread with its own program code in all running processes.


After the installation is complete, the trojan deletes the original executable file.

Information stealing

Win32/Spy.Zbot.ABV is a trojan that steals sensitive information.


The trojan collects the following information:

  • operating system version
  • user name
  • computer name
  • data from the clipboard
  • login user names for certain applications/services
  • login passwords for certain applications/services
  • POP3 account information
  • IMAP account information
  • Outlook Express account data
  • e-mail addresses
  • FTP account information
  • cookies
  • screenshots

The trojan is able to log keystrokes.


The trojan collects sensitive information when the user browses certain web sites.


The trojan collects information related to the following applications:

  • Core FTP
  • FAR Manager
  • FileZilla
  • FlashFXP
  • FTP Commander
  • Google Chrome
  • Internet Explorer
  • Microsoft Outlook
  • Mozilla Firefox
  • SmartFTP
  • Total Commander
  • Windows Mail
  • WinSCP
  • WS_FTP

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a URL address. The HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • send the list of disk devices and their type to a remote computer
  • log keystrokes
  • capture screenshots
  • update itself to a newer version
  • remove itself from the infected computer
  • set up a proxy server
  • block access to specific websites
  • monitor network traffic
  • modify network traffic
  • send gathered information
  • shut down/restart the computer
  • change the home page of web browser
  • execute shell commands
  • modify the content of websites
  • delete cookies

The trojan hooks the following Windows APIs:

  • closesocket (ws2_32.dll)
  • GetClipboardData (user32.dll)
  • GetCommandLineA (kernel32.dll)
  • GetCommandLineW (kernel32.dll)
  • GetFileAttributesExW (kernel32.dll)
  • HttpOpenRequestA (wininet.dll)
  • HttpOpenRequestW (wininet.dll)
  • HttpQueryInfoA (wininet.dll)
  • HttpSendRequestA (wininet.dll)
  • HttpSendRequestExA (wininet.dll)
  • HttpSendRequestExW (wininet.dll)
  • HttpSendRequestW (wininet.dll)
  • InternetCloseHandle (wininet.dll)
  • InternetConnectA (wininet.dll)
  • InternetConnectW (wininet.dll)
  • InternetQueryDataAvailable (wininet.dll)
  • InternetReadFile (wininet.dll)
  • InternetReadFileExA (wininet.dll)
  • InternetReadFileExW (wininet.dll)
  • InternetWriteFile (wininet.dll)
  • LdrLoadDll (ntdll.dll)
  • NtClose (ntdll.dll)
  • NtCreateThread (ntdll.dll)
  • NtCreateUserProcess (ntdll.dll)
  • PR_Close (nss3.dll)
  • PR_Poll (nss3.dll)
  • PR_Read (nss3.dll)
  • PR_Write (nss3.dll)
  • recv (ws2_32.dll)
  • send (ws2_32.dll)
  • TranslateMessage (user32.dll)
  • WSARecv (ws2_32.dll)
  • WSASend (ws2_32.dll)

The trojan keeps various information in the following Registry keys:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­%variable1%]
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­%variable2%]
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­%variable3%]

The trojan can modify the following file:

  • %firefoxprofilefolder%\­user.js

The trojan writes the following entries to the file:

  • user_pref("browser.startup.homepage", "%variable4%");
  • user_pref("browser.startup.page", 1);
  • user_pref("privacy.clearOnShutdown.cookies", false);

A string with variable content is used instead of %variable1-4% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.