Win32/Spy.Zbot [Threat Name] go to Threat

Win32/Spy.Zbot.AAO [Threat Variant Name]

Category trojan
Size 225280 B
Detection created Feb 21, 2012
Signature database version 7470
Aliases Trojan-Spy.Win32.Zbot.ntpf (Kaspersky)
  PWS-Zbot.gen.vo.trojan (McAfee)
  PWS:Win32/Zbot.gen!AJ (Microsoft)
  Win32:Zbot-NRC (Avast)
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

When executed, the trojan copies itself into the following location:

  • %appdata%\­%variable1%\­%variable2%.exe

This copy of the trojan is then executed.


In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable2%" = "%appdata%\­%variable1%\­%variable2%.exe"

The trojan keeps various information in the following Registry key:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­%variable3%]

A string with variable content is used instead of %variable1-3% .


The trojan may create and run a new thread with its own program code within any running process.


It avoids processes which contain any of the following strings in their path:

  • SafenSoft and SysWatch
  • McAfee and Security Center
  • McAfee and SecurityCenter
  • Symantec and Client
  • Symantec and Protection
  • Symantec and Shared
  • Symantec and Security
  • Norton and Protection
  • Kaspersky and Security
  • Kaspersky and Anti-Virus
  • avast! and Antivirus
  • AntiVir and Desktop
  • AVG and Monitor
  • AVG and Service
  • AVG and Security
  • ESET and Security
  • ESET and Antivirus
  • Microsoft and Inspection
  • Microsoft and Malware
  • Microsoft and Security

After the installation is complete, the trojan deletes the original executable file.

Information stealing

Win32/Spy.Zbot.AAO is a trojan that steals sensitive information.


The trojan collects the following information:

  • operating system version
  • user name
  • computer name
  • digital certificates
  • digital certificate passwords
  • URLs visited
  • data from the clipboard
  • login user names for certain applications/services
  • login passwords for certain applications/services
  • POP3 account information
  • IMAP account information
  • Outlook Express account data
  • e-mail addresses
  • FTP account information
  • installed antivirus software
  • installed firewall application
  • cookies
  • screenshots
  • installed software

The trojan is able to log keystrokes.


The trojan collects sensitive information when the user browses certain web sites.


The trojan collects information related to the following applications:

  • Mozilla Firefox
  • Internet Explorer
  • Google Chrome
  • FlashFXP
  • Total Commander
  • WS_FTP
  • FileZilla
  • FAR Manager
  • WinSCP
  • FTP Commander
  • Core FTP
  • SmartFTP
  • Outlook Express
  • Microsoft Outlook

The collected information is stored in the following files:

  • %appdata%\­%variable1%\­%variable2%.%variable3%
  • %appdata%\­%variable4%\­%variable5%.%variable6%

A string with variable content is used instead of %variable1-6% .


The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan generates various URL addresses. The HTTP protocol is used.


The network communication with remote computer/server is encrypted. The RC4 encryption algorithm is used.


The trojan opens a random TCP port.


The trojan opens a random UDP port.


It can execute the following operations:

  • send the list of disk devices and their type to a remote computer
  • log keystrokes
  • capture screenshots
  • update itself to a newer version
  • remove itself from the infected computer
  • change the privileges of a running process
  • run executable files
  • set up a proxy server
  • set up an HTTP server
  • block access to specific websites
  • monitor network traffic
  • modify network traffic
  • send gathered information
  • shut down/restart the computer
  • change the home page of web browser
  • remove digital certificates
  • modify the content of websites
  • open a specific URL address
  • run executable files
  • log off the current user
  • capture video of the user's desktop
  • terminate running processes
  • perform DoS/DDoS attacks
  • delete cookies

The trojan hooks the following Windows APIs:

  • PR_OpenTCPSocket (nspr4.dll)
  • PR_Close (nspr4.dll)
  • PR_Read (nspr4.dll)
  • PR_Write (nspr4.dll)
  • NtCreateUserProcess (ntdll.dll)
  • NtCreateThread (ntdll.dll)
  • LdrLoadDll (ntdll.dll)
  • ExitProcess (kernel32.dll)
  • GetFileAttributesExW (kernel32.dll)
  • CreateProcessAsUserA (advapi32.dll)
  • CreateProcessAsUserW (advapi32.dll)
  • PlaySoundA (winmm.dll)
  • PlaySoundW (winmm.dll)
  • HttpOpenRequestW (wininet.dll)
  • HttpOpenRequestA (wininet.dll)
  • HttpSendRequestW (wininet.dll)
  • HttpSendRequestA (wininet.dll)
  • HttpSendRequestExW (wininet.dll)
  • HttpSendRequestExA (wininet.dll)
  • HttpEndRequestA (wininet.dll)
  • HttpEndRequestW (wininet.dll)
  • InternetCloseHandle (wininet.dll)
  • InternetReadFile (wininet.dll)
  • InternetReadFileExA (wininet.dll)
  • InternetSetFilePointer (wininet.dll)
  • InternetQueryDataAvailable (wininet.dll)
  • HttpQueryInfoA (wininet.dll)
  • closesocket (ws2_32.dll)
  • send (ws2_32.dll)
  • WSASend (ws2_32.dll)
  • OpenInputDesktop (user32.dll)
  • SwitchDesktop (user32.dll)
  • DefWindowProcW (user32.dll)
  • DefWindowProcA (user32.dll)
  • DefDlgProcW (user32.dll)
  • DefDlgProcA (user32.dll)
  • DefFrameProcW (user32.dll)
  • DefFrameProcA (user32.dll)
  • DefMDIChildProcW (user32.dll)
  • DefMDIChildProcA (user32.dll)
  • CallWindowProcW (user32.dll)
  • CallWindowProcA (user32.dll)
  • RegisterClassW (user32.dll)
  • RegisterClassA (user32.dll)
  • RegisterClassExW (user32.dll)
  • RegisterClassExA (user32.dll)
  • BeginPaint (user32.dll)
  • EndPaint (user32.dll)
  • GetDCEx (user32.dll)
  • GetDC (user32.dll)
  • GetWindowDC (user32.dll)
  • ReleaseDC (user32.dll)
  • GetUpdateRect (user32.dll)
  • GetUpdateRgn (user32.dll)
  • GetMessagePos (user32.dll)
  • GetCursorPos (user32.dll)
  • SetCursorPos (user32.dll)
  • SetCapture (user32.dll)
  • ReleaseCapture (user32.dll)
  • GetCapture (user32.dll)
  • GetMessageW (user32.dll)
  • GetMessageA (user32.dll)
  • PeekMessageW (user32.dll)
  • PeekMessageA (user32.dll)
  • TranslateMessage (user32.dll)
  • GetClipboardData (user32.dll)
  • PFXImportCertStore (crypt32.dll)
  • gethostbyname (ws2_32.dll)
  • getaddrinfo (ws2_32.dll)

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Internet Explorer\­Main]
    • "Start Page" = "%variable1%"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­PhishingFilter]
    • "Enabled" = 0
    • "EnabledV8" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Privacy]
    • "CleanCookies" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­0]
    • "1406" = 0
    • "1609" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­1]
    • "1406" = 0
    • "1609" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­2]
    • "1406" = 0
    • "1609" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­3]
    • "1406" = 0
    • "1609" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­4]
    • "1406" = 0
    • "1609" = 0

The trojan can modify the following file:

  • %firefoxprofilefolder%\­user.js

The trojan writes the following entries to the file:

  • user_pref("browser.startup.homepage", "%variable2%");
  • user_pref("browser.startup.page", 1);
  • user_pref("network.cookie.cookieBehavior", 0);
  • user_pref("privacy.clearOnShutdown.cookies", false);
  • user_pref("security.warn_viewing_mixed", false);
  • user_pref("security.warn_viewing_mixed.show_once", false);
  • user_pref("security.warn_submit_insecure", false);
  • user_pref("security.warn_submit_insecure.show_once", false);

It contains the following text:

  • Coded by BRIAN KREBS for personal use only. I love my job & wife.

A string with variable content is used instead of %variable1-2% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.