Win32/Spy.Zbot [Threat Name] go to Threat
Win32/Spy.Zbot.AAU [Threat Variant Name]
| Category | trojan |
| Size | 282624 B |
| Aliases | PWS:Win32/Zbot.gen!AM (Microsoft) |
| PWS-Zbot.gen.apr.trojan (McAfee) | |
| Win32:Fraudo (Avast) |
Short description
The trojan serves as a backdoor. It can be controlled remotely.
Installation
When executed, the trojan copies itself into the following location:
- %appdata%\%variable1%\%variable2%.exe
This copy of the trojan is then executed.
In order to be executed on every system start, the trojan sets the following Registry entry:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "%variable2%" = "%appdata%\%variable1%\%variable2%.exe"
The trojan keeps various information in the following Registry key:
- [HKEY_CURRENT_USER\Software\Microsoft\%variable3%]
A string with variable content is used instead of %variable1-3% .
The trojan may create and run a new thread with its own program code within any running process.
After the installation is complete, the trojan deletes the original executable file.
Information stealing
Win32/Spy.Zbot.AAU is a trojan that steals sensitive information.
The trojan collects the following information:
- operating system version
- user name
- computer name
- digital certificates
- digital certificate passwords
- URLs visited
- data from the clipboard
- login user names for certain applications/services
- login passwords for certain applications/services
- POP3 account information
- IMAP account information
- Outlook Express account data
- e-mail addresses
The trojan collects sensitive information when the user browses certain web sites.
The trojan searches for files with the following file extensions:
- *.doc
- *.docx
- *.eml
- *.ini
- *.js
- *.json
- *.ppt
- *.pptx
- *.rdf
- *.sol
- *.sqlite
- *.sqlite-*
- *.txt
- *.xls
- *.xlsx
- *.xml
The trojan collects information related to the following applications:
- TellerPlus
- BancLine
- Fidelity
- BankMan
- CruiseNet
The collected information is stored in the following files:
- %localappdata%\%variable1%.%variable2%
A string with variable content is used instead of %variable1-2% .
The trojan attempts to send gathered information to a remote machine.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan generates various URL addresses. The HTTP protocol is used.
The network communication with remote computer/server is encrypted. The RC4 encryption algorithm is used.
The trojan opens a random TCP port.
The trojan opens a random UDP port.
The trojan may set the following Registry entries:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
- "%random1%:UDP" = "%random1%:UDP:*:Enabled:UDP %random1%"
- "%random2%:TCP" = "%random2%:TCP:*:Enabled:TCP %random2%"
It tries to connect to remote machines to ports:
- %variable% (UDP)
A variable numerical value is used instead of %random1-2%, %variable% .
It can execute the following operations:
- send the list of disk devices and their type to a remote computer
- log keystrokes
- capture screenshots
- update itself to a newer version
- remove itself from the infected computer
- change the privileges of a running process
- run executable files
- set up a proxy server
- block access to specific websites
- monitor network traffic
- modify network traffic
- send gathered information
- shut down/restart the computer
- change the home page of web browser
- remove digital certificates
The trojan may delete the following files:
- *.sol
The trojan hooks the following Windows APIs:
- PR_Close (nspr4.dll)
- PR_OpenTCPSocket (nspr4.dll)
- PR_Poll (nspr4.dll)
- PR_Read (nspr4.dll)
- PR_Write (nspr4.dll)
- SSL_read (ssleay32.dll)
- SSL_write (ssleay32.dll)
- SSL_get_fd (ssleay32.dll)
- HttpQueryInfoA (wininet.dll)
- HttpQueryInfoW (wininet.dll)
- HttpSendRequestA (wininet.dll)
- HttpSendRequestW (wininet.dll)
- HttpSendRequestExA (wininet.dll)
- HttpSendRequestExW (wininet.dll)
- InternetCloseHandle (wininet.dll)
- InternetQueryDataAvailable (wininet.dll)
- InternetReadFile (wininet.dll)
- InternetReadFileExA (wininet.dll)
- InternetReadFileExW (wininet.dll)
- InternetWriteFile (wininet.dll)
- closesocket (ws2_32.dll)
- FreeAddrInfoW (ws2_32.dll)
- freeaddrinfo (ws2_32.dll)
- GetAddrInfoW (ws2_32.dll)
- getaddrinfo (ws2_32.dll)
- gethostbyname (ws2_32.dll)
- recv (ws2_32.dll)
- send (ws2_32.dll)
- WSAGetOverlappedResult (ws2_32.dll)
- WSARecv (ws2_32.dll)
- WSASend (ws2_32.dll)
- GetClipboardData (user32.dll)
- PostQuitMessage (user32.dll)
- TranslateMessage (user32.dll)
- LdrLoadDll (ntdll.dll)
- NtCreateThread (ntdll.dll)
- NtTerminateProcess (ntdll.dll)
- PFXImportCertStore (crypt32.dll)
- DecryptMessage (secur32.dll)
- DeleteSecurityContext (secur32.dll)
- EncryptMessage (secur32.dll)