Win32/Spy.Zbot [Threat Name] go to Threat

Win32/Spy.Zbot.YW [Threat Variant Name]

Category trojan
Size 99840 B
Detection created Apr 21, 2010
Signature database version 10000
Aliases Trojan-Spy.Win32.Zbot.ajws (Kaspersky)
  Infostealer.Banker.C (Symantec)
  PWS:Win32/Zbot.gen!Y (McAfee)
Short description

Win32/Spy.Zbot.YW is a trojan that steals passwords and other sensitive information. The trojan serves as a backdoor. It can be controlled remotely.

Installation

When executed, the trojan copies itself into the following location:

  • %appdata%\­%random1%\­%random2%.exe

This copy of the trojan is then executed.


After the installation is complete, the trojan deletes the original executable file.


In order to be executed on system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%randomclsid%" = "%appdata%\­%random1%\­%random2%.exe"

The trojan may create the following files:

  • %appdata%\­%random3%\­%random4%.%random5%
  • %appdata%\­%random3%\­%random4%.tmp
  • %appdata%\­%random3%\­%random4%.dat
  • %mozillafirefoxprofilesfolder%\­user.js (328 B)

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­PhishingFilter]
    • "Enabled" = 0
    • "EnabledV8" = 0
  • [HKCU\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­0]
    • "1406" = 0
    • "1609" = 0
  • [HKCU\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­1]
    • "1406" = 0
    • "1609" = 0
  • [HKCU\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­2]
    • "1406" = 0
    • "1609" = 0
  • [HKCU\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­3]
    • "1406" = 0
    • "1609" = 0
  • [HKCU\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­4]
    • "1406" = 0
    • "1609" = 0

The trojan keeps various information in the following Registry key:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­%random6%]

A string with variable content is used instead of %random1-6% .


The trojan may create and run a new thread with its own program code within any running process.

Information stealing

The trojan collects the following information:

  • FTP account information
  • e-mail addresses

The trojan collects information related to the following applications:

  • FlashFXP
  • Total Commander
  • IPSwitch
  • FileZilla
  • Far/Far2
  • Winscp 2
  • FTP Commander
  • CoreFTP
  • SmartFTP
  • Windows Mail
  • Windows Live
  • Outlook Express

The trojan collects the following information:

  • cookies
  • login passwords for certain applications/services
  • digital certificates
  • user name
  • information about the operating system and system settings

The trojan collects sensitive information when the user browses certain web sites.


The collected information is stored in the following file:

  • %appdata%\­%random3%\­%random4%.%random5%
Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains an URL address. The HTTP protocol is used.


It may perform the following actions:

  • download files from a remote computer and/or the Internet
  • run executable files
  • capture screenshots
  • set up a proxy server
  • log keystrokes
  • send gathered information

The trojan changes the home page of the following web browsers:

  • Internet Explorer

The trojan hooks the following Windows APIs:

  • NtCreateUserProcess (ntdll.dll)
  • NtCreateThread (ntdll.dll)
  • LdrLoadDll (ntdll.dll)
  • GetFileAttributesExW (kernel32.dll)
  • HttpSendRequestW (wininet.dll)
  • HttpSendRequestA (wininet.dll)
  • HttpSendRequestExW (wininet.dll)
  • HttpSendRequestExA (wininet.dll)
  • CloseHandle (kernel32.dll)
  • InternetReadFile (wininet.dll)
  • InternetReadFileExA (wininet.dll)
  • InternetQueryDataAvailable (wininet.dll)
  • HttpQueryInfoA (wininet.dll)
  • closesocket (ws2_32.dll)
  • send (ws2_32.dll)
  • WSASend (ws2_32.dll)
  • OpenInputDesktop (user32.dll)
  • SwitchDesktop (user32.dll)
  • DefWindowProcW (user32.dll)
  • DefWindowProcA (user32.dll)
  • DefDlgProcW (user32.dll)
  • DefDlgProcA (user32.dll)
  • DefFrameProcW (user32.dll)
  • DefFrameProcA (user32.dll)
  • DefMDIChildProcW (user32.dll)
  • DefMDIChildProcA (user32.dll)
  • CallWindowProcW (user32.dll)
  • CallWindowProcA (user32.dll)
  • RegisterClassW (user32.dll)
  • RegisterClassA (user32.dll)
  • RegisterClassExW (user32.dll)
  • RegisterClassExA (user32.dll)
  • BeginPaint (user32.dll)
  • EndPaint (user32.dll)
  • GetDCEx (user32.dll)
  • GetDC (user32.dll)
  • GetWindowDC (user32.dll)
  • ReleaseDC (user32.dll)
  • GetUpdateRect (user32.dll)
  • GetUpdateRgn (user32.dll)
  • GetMessagePos (user32.dll)
  • GetCursorPos (user32.dll)
  • SetCursorPos (user32.dll)
  • SetCapture (user32.dll)
  • ReleaseCapture (user32.dll)
  • GetCapture (user32.dll)
  • GetMessageW (user32.dll)
  • GetMessageA (user32.dll)
  • PeekMessageW (user32.dll)
  • PeekMessageA (user32.dll)
  • TranslateMessage (user32.dll)
  • GetClipboardData (user32.dll)
  • PFXImportCertStore (crypt32.dll)
  • PR_OpenTCPSocket (nspr4.dll)
  • PR_Close (nspr4.dll)
  • PR_Read (nspr4.dll)
  • PR_Write (nspr4.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.