Win32/Spy.Zbot [Threat Name] go to Threat

Win32/Spy.Zbot.ACB [Threat Variant Name]

Category trojan
Size 262717 B
Detection created Aug 20, 2014
Detection database version 10286
Aliases Trojan-Spy.Win32.Zbot.vctc (Kaspersky)
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

When executed, the trojan copies itself into the following location:

  • %appdata%\­%variable1%\­%variable2%.exe

A string with variable content is used instead of %variable1-2% .


This copy of the trojan is then executed.


The trojan may create copies of itself in the folder:

  • %userprofile%\­AppData\­LocalLow\­

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "{%variable3%}" = "%appdata%\­%variable1%\­%variable2%.exe"

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­PhishingFilter]
    • "Enabled" = 0
    • "EnabledV8" = 0
    • "EnabledV9" = 0
  • [HKEY_CURRENT_USER\­Software\­Policies\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­0]
    • "1406" = 0
    • "1609" = 0
    • "1A02" = 0
    • "1A10" = 0
    • "1A03" = 0
    • "1A05" = 0
  • [HKEY_CURRENT_USER\­Software\­Policies\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­1]
    • "1406" = 0
    • "1609" = 0
    • "1A02" = 0
    • "1A10" = 0
    • "1A03" = 0
    • "1A05" = 0
  • [HKEY_CURRENT_USER\­Software\­Policies\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­2]
    • "1406" = 0
    • "1609" = 0
    • "1A02" = 0
    • "1A10" = 0
    • "1A03" = 0
    • "1A05" = 0
  • [HKEY_CURRENT_USER\­Software\­Policies\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­3]
    • "1406" = 0
    • "1609" = 0
    • "1A02" = 0
    • "1A10" = 0
    • "1A03" = 0
    • "1A05" = 0
  • [HKEY_CURRENT_USER\­Software\­Policies\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­4]
    • "1406" = 0
    • "1609" = 0
    • "1A02" = 0
    • "1A10" = 0
    • "1A03" = 0
    • "1A05" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings]
    • "WarnonBadCertRecving" = 0
    • "EnableSPDY3_0" = 0

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%system%\­taskeng.exe" = "%system%\­taskeng.exe:*:Enabled:Task Scheduler Engine"
    • "%system%\­taskhost.exe" = "%system%\­taskhost.exe:*:Enabled:Host Process for Windows Tasks"
    • "%system%\­taskhostex.exe" = "%system%\­taskhostex.exe:*:Enabled:Host Process for Windows Tasks"
    • "%windir%\­explorer.exe" = "%windir%\­explorer.exe:*:Enabled:Windows Explorer"
    • "%system_x86%\­explorer.exe" = "%system_x86%\­explorer.exe:*:Enabled:Windows Explorer"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main]
    • "Start Page" = "%variable4%"

A string with variable content is used instead of %variable3-4% .


By adding an exception in Windows Firewall settings, the trojan ensures that it is not blocked.


The trojan executes the following files:

  • %systemx86%\­explorer.exe

The trojan creates and runs a new thread with its own code within these running processes.


The trojan creates and runs a new thread with its own program code within the following processes:

  • chrome.exe
  • explorer.exe
  • iexplore.exe
  • firefox.exe

After the installation is complete, the trojan deletes the original executable file.

Information stealing

Win32/Spy.Zbot.ACB is a trojan that steals sensitive information.


The trojan collects the following information:

  • operating system version
  • user name
  • computer name
  • digital certificates
  • digital certificate passwords
  • data from the clipboard
  • login user names for certain applications/services
  • login passwords for certain applications/services
  • POP3 account information
  • IMAP account information
  • Outlook Express account data
  • e-mail addresses
  • FTP account information
  • cookies
  • screenshots

The trojan is able to log keystrokes.


The trojan collects sensitive information when the user browses certain web sites.


The trojan collects information related to the following applications:

  • Core FTP
  • FAR Manager
  • FileZilla
  • FlashFXP
  • FTP Commander
  • Google Chrome
  • Internet Explorer
  • Microsoft Outlook
  • Mozilla Firefox
  • SmartFTP
  • Total Commander
  • Windows Mail
  • WinSCP
  • WS_FTP

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a URL address. The HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • send the list of disk devices and their type to a remote computer
  • log keystrokes
  • capture screenshots
  • update itself to a newer version
  • remove itself from the infected computer
  • change the privileges of a running process
  • set up a proxy server
  • block access to specific websites
  • monitor network traffic
  • modify network traffic
  • send gathered information
  • shut down/restart the computer
  • change the home page of web browser
  • execute shell commands
  • remove digital certificates
  • modify the content of websites
  • delete cookies
  • open a specific URL address

The trojan hooks the following Windows APIs:

  • NtCreateUserProcess (ntdll.dll)
  • NtResumeThread (ntdll.dll)
  • GetFileAttributesExW (kernel32.dll)
  • TranslateMessage (user32.dll)
  • GetClipboardData (user32.dll)
  • closesocket (ws2_32.dll)
  • send (ws2_32.dll)
  • recv (ws2_32.dll)
  • WSASend (ws2_32.dll)
  • WSARecv (ws2_32.dll)
  • HttpSendRequestW (wininet.dll)
  • HttpSendRequestA (wininet.dll)
  • HttpSendRequestExW (wininet.dll)
  • HttpSendRequestExA (wininet.dll)
  • InternetReadFile (wininet.dll)
  • InternetReadFileExA (wininet.dll)
  • InternetReadFileExW (wininet.dll)
  • InternetQueryDataAvailable (wininet.dll)
  • InternetCloseHandle (wininet.dll)
  • HttpOpenRequestA (wininet.dll)
  • HttpOpenRequestW (wininet.dll)
  • HttpQueryInfoA (wininet.dll)
  • InternetConnectA (wininet.dll)
  • InternetConnectW (wininet.dll)
  • InternetWriteFile (wininet.dll)
  • PFXImportCertStore (crypt32.dll)
  • PR_Close (nss3.dll)
  • PR_Read (nss3.dll)
  • PR_Write (nss3.dll)
  • PR_Poll (nss3.dll)

The trojan keeps various information in the following Registry keys:

  • [HKEY_CURRENT_USER\­Microsoft\­%variable1%\­%variable2%]
  • [HKEY_CURRENT_USER\­Microsoft\­%variable1%\­%variable3%]
  • [HKEY_CURRENT_USER\­Microsoft\­%variable2%\­%variable4%]

The trojan can modify the following file:

  • %firefoxprofilefolder%\­user.js

The trojan writes the following entries to the file:

  • user_pref("browser.startup.homepage", "%variable5%");
  • user_pref("browser.startup.page", 1);
  • user_pref("privacy.clearOnShutdown.cookies", false);

The trojan contains the program code of the following malware:

  • Win32/ServStart.AD

A string with variable content is used instead of %variable1-5% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.