Win32/Spy.Zbot [Threat Name] go to Threat

Win32/Spy.Zbot.VY [Threat Variant Name]

Category	trojan
Size	252416 B
Aliases	Trojan-Banker.Win32.Bancos.igt (Kaspersky)
	PWS:Win32/Zbot.gen!R (Microsoft)
	PWS-Banker!dfc (McAfee)

Short description

The trojan collects sensitive information when the user browses certain web sites. The trojan can send the information to a remote machine. It can be controlled remotely.

Installation

When executed, the trojan copies itself into the following location:

%system%\%variable%32.exe

A string with variable content is used instead of %variable% .

The following Registry entry is set:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
- "Userinit" = "%system%\userinit.exe,%system%\%variable%32.exe"

This causes the trojan to be executed on every system start.

The following Registry entries are created:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network]
- "UID" = "%computername%_%variable%"
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{334613DB-50C1-B3BE-95ED-E9915A134FF1}]
- {3039636B-5F3D-6C64-6675-696870667265} = %hex_value1%
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}]
- {3039636B-5F3D-6C64-6675-696870667265} = %hex_value1%
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
- "ProxyEnable" = 0

The following Registry entries are set:

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0]
- "1609" = 0
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1]
- "1406" = 0
- "1609" = 0
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2]
- "1609" = 0
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3]
- "1406" = 0
- "1609" = 0
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4]
- "1406" = 0
- "1609" = 0
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
- "1609" = 0
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
- "1406" = 0
- "1609" = 0
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
- "1609" = 0
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
- "1406" = 0
- "1609" = 0
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
- "1406" = 0
- "1609" = 0
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0]
- "1609" = 0
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1]
- "1406" = 0
- "1609" = 0
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2]
- "1609" = 0
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3]
- "1406" = 0
- "1609" = 0
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4]
- "1406" = 0
- "1609" = 0
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
- "1609" = 0
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
- "1406" = 0
- "1609" = 0
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
- "1609" = 0
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
- "1406" = 0
- "1609" = 0
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
- "1406" = 0
- "1609" = 0

The trojan creates and runs a new thread with its own program code within the following processes:

winlogon.exe
svchost.exe
explorer.exe

Information stealing

The trojan collects sensitive information when the user browses certain web sites.

The trojan can send the information to a remote machine.

The FTP protocol is used.

Other information

The trojan hooks the following Windows APIs:

NtCreateThread (ntdll.dll) LdrLoadDll (ntdll.dll) LdrGetProcedureAddress (ntdll.dll) NtQueryDirectoryFile (ntdll.dll) send (wsock32.dll) sendto (wsock32.dll) closesocket (wsock32.dll) send (ws2_32.dll) sendto (ws2_32.dll) WSASend (ws2_32.dll) WSASendTo (ws2_32.dll) closesocket (ws2_32.dll) HttpSendRequestW (wininet.dll) HttpSendRequestA (wininet.dll) HttpSendRequestExW (wininet.dll) HttpSendRequestExA (wininet.dll) InternetReadFile (wininet.dll) InternetReadFileExW (wininet.dll) InternetReadFileExA (wininet.dll) InternetQueryDataAvailable (wininet.dll) InternetCloseHandle (wininet.dll) HttpQueryInfoA (wininet.dll) HttpQueryInfoW (wininet.dll) TranslateMessage (user32.dll) GetClipboardData (user32.dll)

The following services are disabled:

Windows Firewall

The trojan contains an URL address.

It tries to download a file from the address.

The HTTP protocol is used.

The file is stored in the following location:

%temp%\%variable%

A string with variable content is used instead of %variable% .

The trojan acquires data and commands from a remote computer or the Internet.

It can execute the following operations:

monitor network traffic
redirect network traffic
capture screenshots
send files to a remote computer
download files from a remote computer and/or the Internet
retrieve information from protected storage and send it to the remote computer
steal information from the Windows clipboard

The trojan may create and run a new thread with its own program code within any running process.