Win32/Spy.Zbot [Threat Name] go to Threat
Win32/Spy.Zbot.YW [Threat Variant Name]
| Category | trojan |
| Size | 99840 B |
| Aliases | Trojan-Spy.Win32.Zbot.ajws (Kaspersky) |
| Infostealer.Banker.C (Symantec) | |
| PWS:Win32/Zbot.gen!Y (McAfee) |
Short description
Win32/Spy.Zbot.YW is a trojan that steals passwords and other sensitive information. The trojan serves as a backdoor. It can be controlled remotely.
Installation
When executed, the trojan copies itself into the following location:
- %appdata%\%random1%\%random2%.exe
This copy of the trojan is then executed.
After the installation is complete, the trojan deletes the original executable file.
In order to be executed on system start, the trojan sets the following Registry entry:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "%randomclsid%" = "%appdata%\%random1%\%random2%.exe"
The trojan may create the following files:
- %appdata%\%random3%\%random4%.%random5%
- %appdata%\%random3%\%random4%.tmp
- %appdata%\%random3%\%random4%.dat
- %mozillafirefoxprofilesfolder%\user.js (328 B)
The following Registry entries are set:
- [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter]
- "Enabled" = 0
- "EnabledV8" = 0
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
- "1406" = 0
- "1609" = 0
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
- "1406" = 0
- "1609" = 0
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
- "1406" = 0
- "1609" = 0
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
- "1406" = 0
- "1609" = 0
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
- "1406" = 0
- "1609" = 0
The trojan keeps various information in the following Registry key:
- [HKEY_CURRENT_USER\Software\Microsoft\%random6%]
A string with variable content is used instead of %random1-6% .
The trojan may create and run a new thread with its own program code within any running process.
Information stealing
The trojan collects the following information:
- FTP account information
- e-mail addresses
The trojan collects information related to the following applications:
- FlashFXP
- Total Commander
- IPSwitch
- FileZilla
- Far/Far2
- Winscp 2
- FTP Commander
- CoreFTP
- SmartFTP
- Windows Mail
- Windows Live
- Outlook Express
The trojan collects the following information:
- cookies
- login passwords for certain applications/services
- digital certificates
- user name
- information about the operating system and system settings
The trojan collects sensitive information when the user browses certain web sites.
The collected information is stored in the following file:
- %appdata%\%random3%\%random4%.%random5%
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains an URL address. The HTTP protocol is used.
It may perform the following actions:
- download files from a remote computer and/or the Internet
- run executable files
- capture screenshots
- set up a proxy server
- log keystrokes
- send gathered information
The trojan changes the home page of the following web browsers:
- Internet Explorer
The trojan hooks the following Windows APIs:
- NtCreateUserProcess (ntdll.dll)
- NtCreateThread (ntdll.dll)
- LdrLoadDll (ntdll.dll)
- GetFileAttributesExW (kernel32.dll)
- HttpSendRequestW (wininet.dll)
- HttpSendRequestA (wininet.dll)
- HttpSendRequestExW (wininet.dll)
- HttpSendRequestExA (wininet.dll)
- CloseHandle (kernel32.dll)
- InternetReadFile (wininet.dll)
- InternetReadFileExA (wininet.dll)
- InternetQueryDataAvailable (wininet.dll)
- HttpQueryInfoA (wininet.dll)
- closesocket (ws2_32.dll)
- send (ws2_32.dll)
- WSASend (ws2_32.dll)
- OpenInputDesktop (user32.dll)
- SwitchDesktop (user32.dll)
- DefWindowProcW (user32.dll)
- DefWindowProcA (user32.dll)
- DefDlgProcW (user32.dll)
- DefDlgProcA (user32.dll)
- DefFrameProcW (user32.dll)
- DefFrameProcA (user32.dll)
- DefMDIChildProcW (user32.dll)
- DefMDIChildProcA (user32.dll)
- CallWindowProcW (user32.dll)
- CallWindowProcA (user32.dll)
- RegisterClassW (user32.dll)
- RegisterClassA (user32.dll)
- RegisterClassExW (user32.dll)
- RegisterClassExA (user32.dll)
- BeginPaint (user32.dll)
- EndPaint (user32.dll)
- GetDCEx (user32.dll)
- GetDC (user32.dll)
- GetWindowDC (user32.dll)
- ReleaseDC (user32.dll)
- GetUpdateRect (user32.dll)
- GetUpdateRgn (user32.dll)
- GetMessagePos (user32.dll)
- GetCursorPos (user32.dll)
- SetCursorPos (user32.dll)
- SetCapture (user32.dll)
- ReleaseCapture (user32.dll)
- GetCapture (user32.dll)
- GetMessageW (user32.dll)
- GetMessageA (user32.dll)
- PeekMessageW (user32.dll)
- PeekMessageA (user32.dll)
- TranslateMessage (user32.dll)
- GetClipboardData (user32.dll)
- PFXImportCertStore (crypt32.dll)
- PR_OpenTCPSocket (nspr4.dll)
- PR_Close (nspr4.dll)
- PR_Read (nspr4.dll)
- PR_Write (nspr4.dll)