Win32/Spy.Zbot [Threat Name] go to Threat

Win32/Spy.Zbot.VJ [Threat Variant Name]

Category trojan
Size 114176 B
Detection created Oct 21, 2009
Detection database version 4529
Aliases Generic.dx!gxm (McAfee)
  PWS:Win32/Zbot (Microsoft)
  Trojan.Horse (Symantec)
Short description

The trojan collects sensitive information when the user browses certain web sites. The trojan can send the information to a remote machine. It can be controlled remotely.

Installation

When executed, the trojan copies itself into the following location:

  • %system%\­sdra64.exe

The trojan creates the following folders:

  • %system%\­lowsec

The trojan creates the following files:

  • %system%\­lowsec\­user.ds.lll
  • %system%\­lowsec\­user.ds
  • %system%\­lowsec\­local.ds

The following Registry entry is set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Userinit" = "%system%\­userinit.exe, %system%\­sdra64.exe"

This causes the trojan to be executed on every system start.


The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Network]
    • "UID" = "%computername%_%variable%"
  • [HKEY_USERS\­.DEFAULT\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­{334613DB-50C1-B3BE-95ED-E9915A134FF1}]
    • "{3039636B-5F3D-6C64-6675-696870667265}" = %hex_value1%
    • "{33373039-3132-3864-6B30-303233343434}" = %hex_value2%
  • [HKEY_USERS\­.DEFAULT\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}]
    • "{3039636B-5F3D-6C64-6675-696870667265}" = %hex_value1%
    • "{33373039-3132-3864-6B30-303233343434}" = %hex_value2%
  • [HKEY_USERS\­.DEFAULT\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings]
    • "ProxyEnable" = 0

The trojan creates and runs a new thread with its own program code within the following processes:

  • winlogon.exe
  • svchost.exe
  • explorer.exe
Information stealing

The trojan collects sensitive information when the user browses certain web sites.


The trojan can send the information to a remote machine. The FTP protocol is used.

Other information

The trojan hooks the following Windows APIs:

NtCreateThread (ntdll.dll) LdrLoadDll (ntdll.dll) LdrGetProcedureAddress (ntdll.dll) NtQueryDirectoryFile (ntdll.dll) send (wsock32.dll) sendto (wsock32.dll) closesocket (wsock32.dll) send (ws2_32.dll) sendto (ws2_32.dll) WSASend (ws2_32.dll) WSASendTo (ws2_32.dll) closesocket (ws2_32.dll) HttpSendRequestW (wininet.dll) HttpSendRequestA (wininet.dll) HttpSendRequestExW (wininet.dll) HttpSendRequestExA (wininet.dll) InternetReadFile (wininet.dll) InternetReadFileExW (wininet.dll) InternetReadFileExA (wininet.dll) InternetQueryDataAvailable (wininet.dll) InternetCloseHandle (wininet.dll) HttpQueryInfoA (wininet.dll) HttpQueryInfoW (wininet.dll) TranslateMessage (user32.dll) GetClipboardData (user32.dll) PFXImportCertStore (crypt32.dll)

The following services are disabled:

  • Windows Firewall

The trojan contains an URL address.


It tries to download a file from the address.


The HTTP protocol is used.


The file is stored in the following location:

  • %system%\­lowsec\­user.ds

The trojan acquires data and commands from a remote computer or the Internet.


It can execute the following operations:

  • monitor network traffic
  • redirect network traffic
  • capture screenshots
  • send files to a remote computer
  • download files from a remote computer and/or the Internet
  • retrieve information from protected storage and send it to the remote computer
  • steal information from the Windows clipboard

The trojan may create and run a new thread with its own program code within any running process.

Please enable Javascript to ensure correct displaying of this content and refresh this page.