Win32/Spy.Zbot [Threat Name] go to Threat

Win32/Spy.Zbot.AAU [Threat Variant Name]

Category trojan
Size 282624 B
Detection created Nov 19, 2012
Signature database version 10071
Aliases PWS:Win32/Zbot.gen!AM (Microsoft)
  PWS-Zbot.gen.apr.trojan (McAfee)
  Win32:Fraudo (Avast)
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

When executed, the trojan copies itself into the following location:

  • %appdata%\­%variable1%\­%variable2%.exe

This copy of the trojan is then executed.


In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable2%" = "%appdata%\­%variable1%\­%variable2%.exe"

The trojan keeps various information in the following Registry key:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­%variable3%]

A string with variable content is used instead of %variable1-3% .


The trojan may create and run a new thread with its own program code within any running process.


After the installation is complete, the trojan deletes the original executable file.

Information stealing

Win32/Spy.Zbot.AAU is a trojan that steals sensitive information.


The trojan collects the following information:

  • operating system version
  • user name
  • computer name
  • digital certificates
  • digital certificate passwords
  • URLs visited
  • data from the clipboard
  • login user names for certain applications/services
  • login passwords for certain applications/services
  • POP3 account information
  • IMAP account information
  • Outlook Express account data
  • e-mail addresses

The trojan collects sensitive information when the user browses certain web sites.


The trojan searches for files with the following file extensions:

  • *.doc
  • *.docx
  • *.eml
  • *.ini
  • *.js
  • *.json
  • *.pdf
  • *.ppt
  • *.pptx
  • *.rdf
  • *.sol
  • *.sqlite
  • *.sqlite-*
  • *.txt
  • *.xls
  • *.xlsx
  • *.xml

The trojan collects information related to the following applications:

  • TellerPlus
  • BancLine
  • Fidelity
  • BankMan
  • CruiseNet

The collected information is stored in the following files:

  • %localappdata%\­%variable1%.%variable2%

A string with variable content is used instead of %variable1-2% .


The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan generates various URL addresses. The HTTP protocol is used.


The network communication with remote computer/server is encrypted. The RC4 encryption algorithm is used.


The trojan opens a random TCP port.


The trojan opens a random UDP port.


The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­GloballyOpenPorts\­List]
    • "%random1%:UDP" = "%random1%:UDP:*:Enabled:UDP %random1%"
    • "%random2%:TCP" = "%random2%:TCP:*:Enabled:TCP %random2%"

It tries to connect to remote machines to ports:

  • %variable% (UDP)

A variable numerical value is used instead of %random1-2%, %variable% .


It can execute the following operations:

  • send the list of disk devices and their type to a remote computer
  • log keystrokes
  • capture screenshots
  • update itself to a newer version
  • remove itself from the infected computer
  • change the privileges of a running process
  • run executable files
  • set up a proxy server
  • block access to specific websites
  • monitor network traffic
  • modify network traffic
  • send gathered information
  • shut down/restart the computer
  • change the home page of web browser
  • remove digital certificates

The trojan may delete the following files:

  • *.sol

The trojan hooks the following Windows APIs:

  • PR_Close (nspr4.dll)
  • PR_OpenTCPSocket (nspr4.dll)
  • PR_Poll (nspr4.dll)
  • PR_Read (nspr4.dll)
  • PR_Write (nspr4.dll)
  • SSL_read (ssleay32.dll)
  • SSL_write (ssleay32.dll)
  • SSL_get_fd (ssleay32.dll)
  • HttpQueryInfoA (wininet.dll)
  • HttpQueryInfoW (wininet.dll)
  • HttpSendRequestA (wininet.dll)
  • HttpSendRequestW (wininet.dll)
  • HttpSendRequestExA (wininet.dll)
  • HttpSendRequestExW (wininet.dll)
  • InternetCloseHandle (wininet.dll)
  • InternetQueryDataAvailable (wininet.dll)
  • InternetReadFile (wininet.dll)
  • InternetReadFileExA (wininet.dll)
  • InternetReadFileExW (wininet.dll)
  • InternetWriteFile (wininet.dll)
  • closesocket (ws2_32.dll)
  • FreeAddrInfoW (ws2_32.dll)
  • freeaddrinfo (ws2_32.dll)
  • GetAddrInfoW (ws2_32.dll)
  • getaddrinfo (ws2_32.dll)
  • gethostbyname (ws2_32.dll)
  • recv (ws2_32.dll)
  • send (ws2_32.dll)
  • WSAGetOverlappedResult (ws2_32.dll)
  • WSARecv (ws2_32.dll)
  • WSASend (ws2_32.dll)
  • GetClipboardData (user32.dll)
  • PostQuitMessage (user32.dll)
  • TranslateMessage (user32.dll)
  • LdrLoadDll (ntdll.dll)
  • NtCreateThread (ntdll.dll)
  • NtTerminateProcess (ntdll.dll)
  • PFXImportCertStore (crypt32.dll)
  • DecryptMessage (secur32.dll)
  • DeleteSecurityContext (secur32.dll)
  • EncryptMessage (secur32.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.