Win32/Spy.Zbot [Threat Name] go to Threat
Win32/Spy.Zbot.UN [Threat Variant Name]
Category | trojan |
Size | 72704 B |
Aliases | Trojan-Spy.Win32.Zbot.abdy (Kaspersky) |
Infostealer.Banker.C (Symantec) | |
Generic.PWS.y!bbb (McAfee) |
Short description
The trojan collects sensitive information when the user browses certain web sites. The trojan can send the information to a remote machine. It can be controlled remotely.
Installation
When executed, the trojan copies itself into the following location:
- %system%\sdra64.exe
The trojan creates the following folders:
- %system%\lowsec
The trojan creates the following files:
- %system%\lowsec\user.ds.lll
- %system%\lowsec\user.ds
- %system%\lowsec\local.ds
The following Registry entry is set:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
- "Userinit" = "%system%\userinit.exe, %system%\sdra64.exe"
This causes the trojan to be executed on every system start.
The following Registry entries are created:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network]
- "UID" = "%computername%_%variable%"
- [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{334613DB-50C1-B3BE-95ED-E9915A134FF1}]
- "{3039636B-5F3D-6C64-6675-696870667265}" = %hex_value1%
- "{33373039-3132-3864-6B30-303233343434}" = %hex_value2%
- [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}]
- "{3039636B-5F3D-6C64-6675-696870667265}" = %hex_value1%
- "{33373039-3132-3864-6B30-303233343434}" = %hex_value2%
- [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
- "ProxyEnable" = 0
The trojan creates and runs a new thread with its own program code within the following processes:
- winlogon.exe
- svchost.exe
- explorer.exe
Information stealing
The trojan collects sensitive information when the user browses certain web sites.
The trojan can send the information to a remote machine.
The FTP protocol is used.
Other information
The trojan hooks the following Windows APIs:
The following services are disabled:
- Windows Firewall
The trojan contains an URL address.
It tries to download a file from the address.
The HTTP protocol is used.
The file is stored in the following location:
- %system%\lowsec\user.ds
The trojan acquires data and commands from a remote computer or the Internet.
It can execute the following operations:
- monitor network traffic
- redirect network traffic
- capture screenshots
- send files to a remote computer
- download files from a remote computer and/or the Internet
- retrieve information from protected storage and send it to the remote computer
- steal information from the Windows clipboard
The trojan may create and run a new thread with its own program code within any running process.