Win32/Spy.Zbot [Threat Name] go to Threat

Win32/Spy.Zbot.ACM [Threat Variant Name]

Category trojan
Size 249018 B
Aliases Trojan-Ransom.NSIS.MyxaHaTpyne.gee (Kaspersky)
  Trojan.Cryptolocker.AH (Symantec)
  Trojan:Win32/Dynamer!ac (Microsoft)
Short description

Win32/Spy.Zbot.ACM serves as a backdoor. It can be controlled remotely. The trojan collects information used to access certain sites. The trojan attempts to send gathered information to a remote machine.

Installation

When executed, the trojan copies itself into the following location:

  • %appdatadeepestfolder%\­..\­..\­%variable_1%.exe

A string with variable content is used instead of %variable1-12% .


The name of the file may be based on the name of an existing file or folder.


Only folders which do not contain one of the following string in their path are searched:

  • microsoft
  • firefox

The %appdatadeepestfolder% denotes the deepest folder in the file system tree under the %appdata% folder.


In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • %variable1% = %appdatadeepestfolder%\­..\­..\­%variable1%.exe

The following files may be dropped:

  • %temp%\­ns%variable2%%variable3%.tmp\­system.dll
  • %appdatadeepestfolder%\­..\­%variable4%.%variable5%
  • %appdatadeepestfolder%\­..\­%variable6%.%variable7%
  • %appdatadeepestfolder%\­..\­%variable8%.%variable9%
  • %temp%\­upd%variable10%.bat

Several other files are dropped into the following folders:

  • %appdata%

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­PhishingFilter]
    • "Enabled" = 0
    • "EnabledV8" = 0
    • "EnabledV9" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings]
    • "WarnonBadCertRecving" = 0
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­TemplatePolicies\­MedLow]
    • "1406" = 0
    • "1609" = 0
    • "TemplateIndex" = 0
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­TemplatePolicies\­MedHigh]
    • "1406" = 0
    • "1609" = 0
    • "1A05" = 0
    • "1A10" = 0
    • "TemplateIndex" = 0
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­TemplatePolicies\­Medium]
    • "1406" = 0
    • "1609" = 0
    • "1A05" = 0
    • "1A10" = 0
    • "TemplateIndex" = 0
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­TemplatePolicies\­High]
    • "1406" = 0
    • "1609" = 0
    • "1A02" = 0
    • "1A03" = 0
    • "1A05" = 0
    • "1A06" = 0
    • "1A10" = 0
    • "TemplateIndex" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­Lockdown_Zones\­0]
    • "1406" = 0
    • "1609" = 0
    • "1A02" = 0
    • "1A03" = 0
    • "1A05" = 0
    • "1A10" = 0
    • "CurrentLevel" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­0]
    • "1406" = 0
    • "1609" = 0
    • "1A02" = 0
    • "1A03" = 0
    • "1A05" = 0
    • "1A10" = 0
    • "CurrentLevel" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­1]
    • "1406" = 0
    • "1609" = 0
    • "1A02" = 0
    • "1A03" = 0
    • "1A05" = 0
    • "1A10" = 0
    • "CurrentLevel" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­2]
    • "1406" = 0
    • "1609" = 0
    • "1A02" = 0
    • "1A03" = 0
    • "1A05" = 0
    • "1A10" = 0
    • "CurrentLevel" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­3]
    • "1406" = 0
    • "1609" = 0
    • "1A02" = 0
    • "1A03" = 0
    • "1A05" = 0
    • "1A10" = 0
    • "CurrentLevel" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­4]
    • "1406" = 0
    • "1609" = 0
    • "1A02" = 0
    • "1A03" = 0
    • "1A05" = 0
    • "1A10" = 0
    • "CurrentLevel" = 0

The trojan keeps various information in the following Registry keys:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­%variable2%\­%variable3%]
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­%variable2%\­%variable11%]
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­%variable2%\­%variable12%]

After the installation is complete, the trojan deletes the original executable file.

Information stealing

Win32/Spy.Zbot.ACM is a trojan that steals passwords and other sensitive information.


The trojan collects sensitive information when the user browses certain web sites.


The following information is collected:

  • login user names for certain applications/services
  • login passwords for certain applications/services
  • user name
  • computer name
  • installed antivirus software
  • cookies
  • data from the clipboard
  • digital certificates
  • operating system version

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan terminates its execution if it detects that it's running in a specific virtual environment.


The trojan can detect presence of debuggers and other analytical tools.


The trojan quits immediately if it detects a running process containing one of the following strings in its name:

  • wireshark
  • immunity
  • processhacker
  • procexp
  • procmon
  • idaq
  • regshot
  • aut2.exe
  • perl
  • python

The trojan quits immediately if any of the following folders/files is detected:

  • \­\­.\­VmGenerationCounter
  • \­\­.\­HGFS
  • \­\­.\­vmci
  • \­\­.\­VBoxMiniRdrDN
  • \­\­.\­VBoxMiniRdDN
  • \­\­.\­VBoxTrayIPC
  • \­\­.\­VBoxVideo
  • \­\­.\­VBoxMouse
  • \­\­.\­VBoxGuest
  • \­\­.\­prl_time
  • \­\­.\­prl_tg
  • \­\­.\­prl_pv
  • \­\­.\­NPF_NdisWanIp
  • \­\­.\­SIWDEBUG
  • \­\­.\­FILEVXG
  • \­\­.\­SIWVID
  • \­\­.\­REGSYS
  • \­\­.\­REGVXG
  • \­\­.\­NTICE
  • \­\­.\­FILEM
  • \­\­.\­ICEXT
  • \­\­.\­SICE
  • C:\­popupkiller.exe
  • C:\­stimulator.exe
  • C:\­TOOLS\­execute.exe

The trojan quits immediately if any of the following Registry keys/values is detected:

  • [HKEY_LOCAL_MACHINE\­HARDWARE\­DESCRIPTION\­System]
    • "SystemBiosVersion" = "Bochs"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­VMware, Inc.\­VMware Tools]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Oracle\­VirtualBox Guest Additions]
  • [HKEY_LOCAL_MACHINE\­HARDWARE\­ACPI\­DSDT\­VBOX__]
  • [HKEY_CURRENT_USER\­Software\­WINE]
  • [HKEY_LOCAL_MACHINE\­Software\­WINE]

The trojan executes the following files:

  • %windir%\­system32\­svchost.exe -k netsvcs
  • %deepest%\­..\­..\­%variable_1%.exe

The trojan can create and run a new thread with its own program code within the following processes:

  • svchost.exe
  • panda.exe
  • firefox.exe
  • iexplore.exe
  • chrome.exe
  • MicrosoftEdge.exe
  • MicrosoftEdgeCP.exe

The trojan checks for Internet connectivity by trying to connect to the following addresses:

  • http://google.com

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a URL address. The trojan generates various URL addresses. The HTTP protocol is used in the communication.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • modify the content of websites
  • log keystrokes
  • capture screenshots
  • send gathered information

The trojan hooks the following Windows APIs:

  • TranslateMessage (user32.dll)
  • GetClipboardData (user32.dll)
  • GetFileAttributesExW (kernel32.dll)
  • HttpSendRequestW (wininet.dll)
  • HttpSendRequestA (wininet.dll)
  • HttpSendRequestExW (wininet.dll)
  • HttpSendRequestExA (wininet.dll)
  • InternetReadFile (wininet.dll)
  • InternetReadFileExA (wininet.dll)
  • InternetReadFileExW (wininet.dll)
  • InternetQueryDataAvailable (wininet.dll)
  • InternetCloseHandle (wininet.dll)
  • HttpOpenRequestA (wininet.dll)
  • HttpOpenRequestW (wininet.dll)
  • HttpQueryInfoA (wininet.dll)
  • InternetConnectA (wininet.dll)
  • InternetConnectW (wininet.dll)
  • InternetWriteFile (wininet.dll)
  • PR_Close (nss3.dll)
  • PR_Read (nss3.dll)
  • PR_Write (nss3.dll)
  • PR_Poll (nss3.dll)
  • closesocket (ws2_32.dll)
  • WSASend (ws2_32.dll)
  • WSARecv (ws2_32.dll)
  • recv (ws2_32.dll)
  • ssl_read (chrome.dll)
  • ssl_write (chrome.dll)
  • ssl_close (chrome.dll)

The trojan can modify the following file:

  • %mozillafirefoxprofilefolder%\­prefs.js

The trojan writes the following entries to the file:

  • user_pref("privacy.clearOnShutdown.cookies", false);
  • user_pref("security.warn_viewing_mixed", false);
  • user_pref("security.warn_viewing_mixed.show_once", false);
  • user_pref("security.warn_submit_insecure", false);
  • user_pref("security.warn_submit_insecure.show_once", false);
  • user_pref("security.warn_entering_secure", false);
  • user_pref("security.warn_entering_weak", false);
  • user_pref("security.warn_leaving_secure", false);
  • user_pref("network.http.spdy.enabled", false);
  • user_pref("network.http.spdy.enabled.v2", false);
  • user_pref("network.http.spdy.enabled.v3", false);

Trojan may remove itself from the infected computer.

Please enable Javascript to ensure correct displaying of this content and refresh this page.