Win32/Spy.Zbot [Threat Name] go to Threat
Win32/Spy.Zbot.ACB [Threat Variant Name]
Category | trojan |
Size | 262717 B |
Aliases | Trojan-Spy.Win32.Zbot.vctc (Kaspersky) |
Short description
The trojan serves as a backdoor. It can be controlled remotely.
Installation
When executed, the trojan copies itself into the following location:
- %appdata%\%variable1%\%variable2%.exe
A string with variable content is used instead of %variable1-2% .
This copy of the trojan is then executed.
The trojan may create copies of itself in the folder:
- %userprofile%\AppData\LocalLow\
In order to be executed on every system start, the trojan sets the following Registry entry:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "{%variable3%}" = "%appdata%\%variable1%\%variable2%.exe"
The following Registry entries are set:
- [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter]
- "Enabled" = 0
- "EnabledV8" = 0
- "EnabledV9" = 0
- [HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
- "1406" = 0
- "1609" = 0
- "1A02" = 0
- "1A10" = 0
- "1A03" = 0
- "1A05" = 0
- [HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
- "1406" = 0
- "1609" = 0
- "1A02" = 0
- "1A10" = 0
- "1A03" = 0
- "1A05" = 0
- [HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
- "1406" = 0
- "1609" = 0
- "1A02" = 0
- "1A10" = 0
- "1A03" = 0
- "1A05" = 0
- [HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
- "1406" = 0
- "1609" = 0
- "1A02" = 0
- "1A10" = 0
- "1A03" = 0
- "1A05" = 0
- [HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
- "1406" = 0
- "1609" = 0
- "1A02" = 0
- "1A10" = 0
- "1A03" = 0
- "1A05" = 0
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
- "WarnonBadCertRecving" = 0
- "EnableSPDY3_0" = 0
The trojan may set the following Registry entries:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
- "%system%\taskeng.exe" = "%system%\taskeng.exe:*:Enabled:Task Scheduler Engine"
- "%system%\taskhost.exe" = "%system%\taskhost.exe:*:Enabled:Host Process for Windows Tasks"
- "%system%\taskhostex.exe" = "%system%\taskhostex.exe:*:Enabled:Host Process for Windows Tasks"
- "%windir%\explorer.exe" = "%windir%\explorer.exe:*:Enabled:Windows Explorer"
- "%system_x86%\explorer.exe" = "%system_x86%\explorer.exe:*:Enabled:Windows Explorer"
- [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
- "Start Page" = "%variable4%"
A string with variable content is used instead of %variable3-4% .
By adding an exception in Windows Firewall settings, the trojan ensures that it is not blocked.
The trojan executes the following files:
- %systemx86%\explorer.exe
The trojan creates and runs a new thread with its own code within these running processes.
The trojan creates and runs a new thread with its own program code within the following processes:
- chrome.exe
- explorer.exe
- iexplore.exe
- firefox.exe
After the installation is complete, the trojan deletes the original executable file.
Information stealing
Win32/Spy.Zbot.ACB is a trojan that steals sensitive information.
The trojan collects the following information:
- operating system version
- user name
- computer name
- digital certificates
- digital certificate passwords
- data from the clipboard
- login user names for certain applications/services
- login passwords for certain applications/services
- POP3 account information
- IMAP account information
- Outlook Express account data
- e-mail addresses
- FTP account information
- cookies
- screenshots
The trojan is able to log keystrokes.
The trojan collects sensitive information when the user browses certain web sites.
The trojan collects information related to the following applications:
- Core FTP
- FAR Manager
- FileZilla
- FlashFXP
- FTP Commander
- Google Chrome
- Internet Explorer
- Microsoft Outlook
- Mozilla Firefox
- SmartFTP
- Total Commander
- Windows Mail
- WinSCP
- WS_FTP
The trojan attempts to send gathered information to a remote machine.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a URL address. The HTTP protocol is used.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- send the list of disk devices and their type to a remote computer
- log keystrokes
- capture screenshots
- update itself to a newer version
- remove itself from the infected computer
- change the privileges of a running process
- set up a proxy server
- block access to specific websites
- monitor network traffic
- modify network traffic
- send gathered information
- shut down/restart the computer
- change the home page of web browser
- execute shell commands
- remove digital certificates
- modify the content of websites
- delete cookies
- open a specific URL address
The trojan hooks the following Windows APIs:
- NtCreateUserProcess (ntdll.dll)
- NtResumeThread (ntdll.dll)
- GetFileAttributesExW (kernel32.dll)
- TranslateMessage (user32.dll)
- GetClipboardData (user32.dll)
- closesocket (ws2_32.dll)
- send (ws2_32.dll)
- recv (ws2_32.dll)
- WSASend (ws2_32.dll)
- WSARecv (ws2_32.dll)
- HttpSendRequestW (wininet.dll)
- HttpSendRequestA (wininet.dll)
- HttpSendRequestExW (wininet.dll)
- HttpSendRequestExA (wininet.dll)
- InternetReadFile (wininet.dll)
- InternetReadFileExA (wininet.dll)
- InternetReadFileExW (wininet.dll)
- InternetQueryDataAvailable (wininet.dll)
- InternetCloseHandle (wininet.dll)
- HttpOpenRequestA (wininet.dll)
- HttpOpenRequestW (wininet.dll)
- HttpQueryInfoA (wininet.dll)
- InternetConnectA (wininet.dll)
- InternetConnectW (wininet.dll)
- InternetWriteFile (wininet.dll)
- PFXImportCertStore (crypt32.dll)
- PR_Close (nss3.dll)
- PR_Read (nss3.dll)
- PR_Write (nss3.dll)
- PR_Poll (nss3.dll)
The trojan keeps various information in the following Registry keys:
- [HKEY_CURRENT_USER\Microsoft\%variable1%\%variable2%]
- [HKEY_CURRENT_USER\Microsoft\%variable1%\%variable3%]
- [HKEY_CURRENT_USER\Microsoft\%variable2%\%variable4%]
The trojan can modify the following file:
- %firefoxprofilefolder%\user.js
The trojan writes the following entries to the file:
- user_pref("browser.startup.homepage", "%variable5%");
- user_pref("browser.startup.page", 1);
- user_pref("privacy.clearOnShutdown.cookies", false);
The trojan contains the program code of the following malware:
- Win32/ServStart.AD
A string with variable content is used instead of %variable1-5% .