Win32/Spy.Zbot [Threat Name] go to Threat
Win32/Spy.Zbot.VY [Threat Variant Name]
Category | trojan |
Size | 252416 B |
Aliases | Trojan-Banker.Win32.Bancos.igt (Kaspersky) |
PWS:Win32/Zbot.gen!R (Microsoft) | |
PWS-Banker!dfc (McAfee) |
Short description
The trojan collects sensitive information when the user browses certain web sites. The trojan can send the information to a remote machine. It can be controlled remotely.
Installation
When executed, the trojan copies itself into the following location:
- %system%\%variable%32.exe
A string with variable content is used instead of %variable% .
The following Registry entry is set:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
- "Userinit" = "%system%\userinit.exe,%system%\%variable%32.exe"
This causes the trojan to be executed on every system start.
The following Registry entries are created:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network]
- "UID" = "%computername%_%variable%"
- [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{334613DB-50C1-B3BE-95ED-E9915A134FF1}]
- {3039636B-5F3D-6C64-6675-696870667265} = %hex_value1%
- [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}]
- {3039636B-5F3D-6C64-6675-696870667265} = %hex_value1%
- [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
- "ProxyEnable" = 0
The following Registry entries are set:
- [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0]
- "1609" = 0
- [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1]
- "1406" = 0
- "1609" = 0
- [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2]
- "1609" = 0
- [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3]
- "1406" = 0
- "1609" = 0
- [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4]
- "1406" = 0
- "1609" = 0
- [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
- "1609" = 0
- [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
- "1406" = 0
- "1609" = 0
- [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
- "1609" = 0
- [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
- "1406" = 0
- "1609" = 0
- [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
- "1406" = 0
- "1609" = 0
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0]
- "1609" = 0
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1]
- "1406" = 0
- "1609" = 0
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2]
- "1609" = 0
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3]
- "1406" = 0
- "1609" = 0
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4]
- "1406" = 0
- "1609" = 0
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
- "1609" = 0
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
- "1406" = 0
- "1609" = 0
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
- "1609" = 0
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
- "1406" = 0
- "1609" = 0
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
- "1406" = 0
- "1609" = 0
The trojan creates and runs a new thread with its own program code within the following processes:
- winlogon.exe
- svchost.exe
- explorer.exe
Information stealing
The trojan collects sensitive information when the user browses certain web sites.
The trojan can send the information to a remote machine.
The FTP protocol is used.
Other information
The trojan hooks the following Windows APIs:
The following services are disabled:
- Windows Firewall
The trojan contains an URL address.
It tries to download a file from the address.
The HTTP protocol is used.
The file is stored in the following location:
- %temp%\%variable%
A string with variable content is used instead of %variable% .
The trojan acquires data and commands from a remote computer or the Internet.
It can execute the following operations:
- monitor network traffic
- redirect network traffic
- capture screenshots
- send files to a remote computer
- download files from a remote computer and/or the Internet
- retrieve information from protected storage and send it to the remote computer
- steal information from the Windows clipboard
The trojan may create and run a new thread with its own program code within any running process.