Win32/Spy.Zbot [Threat Name] go to Threat
Win32/Spy.Zbot.YU [Threat Variant Name]
| Category | trojan |
| Size | 105984 B |
| Aliases | Trojan-Spy.Win32.Zbot.ajws (Kaspersky) |
| Suspicious.SillyFDC (Symantec) | |
| PWS:Win32/Zbot.gen!R (Microsoft) |
Short description
Win32/Spy.Zbot.YU is a trojan that steals passwords and other sensitive information. The trojan serves as a backdoor. It can be controlled remotely.
Installation
When executed, the trojan copies itself into the following location:
- %system%\d3dg86.exe
The following Registry entries are set:
- [HKEY_LOCAL_MACHINE\Microsoft\Windows NT\CurrentVersion\Winlogon]
- "UserInit" = "%originalvalue%, %system%\d3dg86.exe,"
This causes the trojan to be executed on every system start.
The trojan may create the following files:
- %system%\folder\l0cal.ds
- %system%\folder\us3r.ds
- %system%\folder\us3r.ds.lll
The trojan may set the following Registry entries:
- [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter]
- "Enabled" = 0
- "EnabledV8" = 0
- [HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\PhishingFilter]
- "Enabled" = 0
- "EnabledV8" = 0
Information stealing
Win32/Spy.Zbot.YU is a trojan that steals passwords and other sensitive information.
The following information is collected:
- cookies
- passwords
- computer name
- operating system version
- Windows Protected Storage passwords and credentials
The trojan collects sensitive information when the user browses certain web sites.
The trojan can send the information to a remote machine.
Other information
The trojan hooks the following Windows APIs:
- NtCreateThread (ntdll.dll)
- NtCreateUserProcess (ntdll.dll)
- NtQueryDirectoryFile (ntdll.dll)
- HttpSendRequestA (wininet.dll)
- HttpSendRequestW (wininet.dll)
- HttpSendRequestExA (wininet.dll)
- HttpSendRequestExW (wininet.dll)
- HttpQueryInfoA (wininet.dll)
- InternetCloseHandle (wininet.dll)
- InternetReadFile (wininet.dll)
- InternetReadFileExA (wininet.dll)
- InternetQueryDataAvailable (wininet.dll)
- closesocket (ws2_32.dll)
- send (ws2_32.dll)
- WSASend (ws2_32.dll)
- GetClipboardData (user32.dll)
- TranslateMessage (user32.dll)
- PFXImportCertStore (crypt32.dll)
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains an URL address. The HTTP protocol is used.
It may perform the following actions:
- update itself to a newer version
- block access to specific websites
- monitor network traffic
- steal information from the Windows clipboard
- remove itself from the infected computer
- run executable files
- download files from a remote computer and/or the Internet
- shut down/restart the computer
- capture screenshots
- set up a proxy server
- log keystrokes
- collect information about the operating system used
- retrieve information from protected storage and send it to the remote computer
- send gathered information