Win32/TrojanDownloader.Spyrov [Threat Name] go to Threat

Win32/TrojanDownloader.Spyrov.A [Threat Variant Name]

Category trojan
Size 306176 B
Detection created Mar 18, 2015
Detection database version 11341
Aliases Trojan-Spy.Win32.Zbot.iwm (Kaspersky)
  PWS:Win32/Zbot.gen!AP (Microsoft)
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

When executed, the trojan copies itself into the following location:

  • %appdata%\­%variable1%\­%variable2%.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable3%" = "%appdata%\­%variable1%\­%variable2%.exe"

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Internet Explorer\­Main\­FeatureControl\­FEATURE_BROWSER_EMULATION]
    • "%variable2%.exe" = 11001

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­Session Manager\­SubSystems]
    • "Windows" = "%systemroot%\­system32\­csrss.exe ObjectDirectory=\­Windows SharedSection=1024,16837860,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16"

The trojan creates and runs a new thread with its own program code within the following processes:

  • explorer.exe
  • %variable2%.exe

After the installation is complete, the trojan deletes the original executable file.


A string with variable content is used instead of %variable1-3% .

Information stealing

The trojan collects the following information:

  • computer name
  • operating system version
  • information about the operating system and system settings
  • installed program components under  [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Uninstall] Registry subkeys
  • installed antivirus software
  • installed firewall application

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (6) URLs. The HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • stop itself for a certain time period
  • open a specific URL address
  • send gathered information

The trojan checks for Internet connectivity by trying to connect to the following servers:

  • http://www.yahoo.com/
  • http://www.google.com/
  • http://www.apple.com/

It can show advertisements.


The trojan sends HTTP requests to simulate clicks on banner advertisements, to inflate web counter statistics etc.


The following programs are terminated:

  • ctfmon.exe

The trojan hooks the following Windows APIs:

  • GetCursorInfo (user32.dll)
  • GetCursorPos (user32.dll)
  • GetMessageA (user32.dll)
  • GetMessagePos (user32.dll)
  • GetMessageW (user32.dll)
  • InternetOpenA (wininet.dll)
  • InternetOpenW (wininet.dll)
  • MessageBoxA (user32.dll)
  • MessageBoxExA (user32.dll)
  • MessageBoxExW (user32.dll)
  • MessageBoxIndirectA (user32.dll)
  • MessageBoxIndirectW (user32.dll)
  • MessageBoxW (user32.dll)
  • NtCreateProcess (ntdll.dll)
  • NtCreateProcessEx (ntdll.dll)
  • NtWriteFile (ntdll.dll)
  • PeekMessageA (user32.dll)
  • PeekMessageW (user32.dll)
  • PlaySoundA (winmm.dll)
  • PlaySoundW (winmm.dll)
  • RegEnumValueA (advapi32.dll)
  • RegEnumValueW (advapi32.dll)
  • RegQueryValueExA (advapi32.dll)
  • RegQueryValueExW (advapi32.dll)
  • RtlCreateUserProcess (ntdll.dll)
  • SetCursorPos (user32.dll)
  • waveOutWrite (winmm.dll)

The trojan keeps various information in the following Registry keys:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­%variable1%\­License]
  • [HKEY_CURRENT_USER\­SOFTWARE\­%variable1%\­License]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Ext\­{%variable2%}\­dynamicdata]
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Ext\­{%variable2%}\­dynamicdata]

A string with variable content is used instead of %variable1-2% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.