Win32/Spy.Zbot [Threat Name] go to Threat
Win32/Spy.Zbot.AAO [Threat Variant Name]
Category | trojan |
Size | 225280 B |
Aliases | Trojan-Spy.Win32.Zbot.ntpf (Kaspersky) |
PWS-Zbot.gen.vo.trojan (McAfee) | |
PWS:Win32/Zbot.gen!AJ (Microsoft) | |
Win32:Zbot-NRC (Avast) |
Short description
The trojan serves as a backdoor. It can be controlled remotely.
Installation
When executed, the trojan copies itself into the following location:
- %appdata%\%variable1%\%variable2%.exe
This copy of the trojan is then executed.
In order to be executed on every system start, the trojan sets the following Registry entry:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "%variable2%" = "%appdata%\%variable1%\%variable2%.exe"
The trojan keeps various information in the following Registry key:
- [HKEY_CURRENT_USER\Software\Microsoft\%variable3%]
A string with variable content is used instead of %variable1-3% .
The trojan may create and run a new thread with its own program code within any running process.
It avoids processes which contain any of the following strings in their path:
- SafenSoft and SysWatch
- McAfee and Security Center
- McAfee and SecurityCenter
- Symantec and Client
- Symantec and Protection
- Symantec and Shared
- Symantec and Security
- Norton and Protection
- Kaspersky and Security
- Kaspersky and Anti-Virus
- avast! and Antivirus
- AntiVir and Desktop
- AVG and Monitor
- AVG and Service
- AVG and Security
- ESET and Security
- ESET and Antivirus
- Microsoft and Inspection
- Microsoft and Malware
- Microsoft and Security
After the installation is complete, the trojan deletes the original executable file.
Information stealing
Win32/Spy.Zbot.AAO is a trojan that steals sensitive information.
The trojan collects the following information:
- operating system version
- user name
- computer name
- digital certificates
- digital certificate passwords
- URLs visited
- data from the clipboard
- login user names for certain applications/services
- login passwords for certain applications/services
- POP3 account information
- IMAP account information
- Outlook Express account data
- e-mail addresses
- FTP account information
- installed antivirus software
- installed firewall application
- cookies
- screenshots
- installed software
The trojan is able to log keystrokes.
The trojan collects sensitive information when the user browses certain web sites.
The trojan collects information related to the following applications:
- Mozilla Firefox
- Internet Explorer
- Google Chrome
- FlashFXP
- Total Commander
- WS_FTP
- FileZilla
- FAR Manager
- WinSCP
- FTP Commander
- Core FTP
- SmartFTP
- Outlook Express
- Microsoft Outlook
The collected information is stored in the following files:
- %appdata%\%variable1%\%variable2%.%variable3%
- %appdata%\%variable4%\%variable5%.%variable6%
A string with variable content is used instead of %variable1-6% .
The trojan attempts to send gathered information to a remote machine.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan generates various URL addresses. The HTTP protocol is used.
The network communication with remote computer/server is encrypted. The RC4 encryption algorithm is used.
The trojan opens a random TCP port.
The trojan opens a random UDP port.
It can execute the following operations:
- send the list of disk devices and their type to a remote computer
- log keystrokes
- capture screenshots
- update itself to a newer version
- remove itself from the infected computer
- change the privileges of a running process
- run executable files
- set up a proxy server
- set up an HTTP server
- block access to specific websites
- monitor network traffic
- modify network traffic
- send gathered information
- shut down/restart the computer
- change the home page of web browser
- remove digital certificates
- modify the content of websites
- open a specific URL address
- run executable files
- log off the current user
- capture video of the user's desktop
- terminate running processes
- perform DoS/DDoS attacks
- delete cookies
The trojan hooks the following Windows APIs:
- PR_OpenTCPSocket (nspr4.dll)
- PR_Close (nspr4.dll)
- PR_Read (nspr4.dll)
- PR_Write (nspr4.dll)
- NtCreateUserProcess (ntdll.dll)
- NtCreateThread (ntdll.dll)
- LdrLoadDll (ntdll.dll)
- ExitProcess (kernel32.dll)
- GetFileAttributesExW (kernel32.dll)
- CreateProcessAsUserA (advapi32.dll)
- CreateProcessAsUserW (advapi32.dll)
- PlaySoundA (winmm.dll)
- PlaySoundW (winmm.dll)
- HttpOpenRequestW (wininet.dll)
- HttpOpenRequestA (wininet.dll)
- HttpSendRequestW (wininet.dll)
- HttpSendRequestA (wininet.dll)
- HttpSendRequestExW (wininet.dll)
- HttpSendRequestExA (wininet.dll)
- HttpEndRequestA (wininet.dll)
- HttpEndRequestW (wininet.dll)
- InternetCloseHandle (wininet.dll)
- InternetReadFile (wininet.dll)
- InternetReadFileExA (wininet.dll)
- InternetSetFilePointer (wininet.dll)
- InternetQueryDataAvailable (wininet.dll)
- HttpQueryInfoA (wininet.dll)
- closesocket (ws2_32.dll)
- send (ws2_32.dll)
- WSASend (ws2_32.dll)
- OpenInputDesktop (user32.dll)
- SwitchDesktop (user32.dll)
- DefWindowProcW (user32.dll)
- DefWindowProcA (user32.dll)
- DefDlgProcW (user32.dll)
- DefDlgProcA (user32.dll)
- DefFrameProcW (user32.dll)
- DefFrameProcA (user32.dll)
- DefMDIChildProcW (user32.dll)
- DefMDIChildProcA (user32.dll)
- CallWindowProcW (user32.dll)
- CallWindowProcA (user32.dll)
- RegisterClassW (user32.dll)
- RegisterClassA (user32.dll)
- RegisterClassExW (user32.dll)
- RegisterClassExA (user32.dll)
- BeginPaint (user32.dll)
- EndPaint (user32.dll)
- GetDCEx (user32.dll)
- GetDC (user32.dll)
- GetWindowDC (user32.dll)
- ReleaseDC (user32.dll)
- GetUpdateRect (user32.dll)
- GetUpdateRgn (user32.dll)
- GetMessagePos (user32.dll)
- GetCursorPos (user32.dll)
- SetCursorPos (user32.dll)
- SetCapture (user32.dll)
- ReleaseCapture (user32.dll)
- GetCapture (user32.dll)
- GetMessageW (user32.dll)
- GetMessageA (user32.dll)
- PeekMessageW (user32.dll)
- PeekMessageA (user32.dll)
- TranslateMessage (user32.dll)
- GetClipboardData (user32.dll)
- PFXImportCertStore (crypt32.dll)
- gethostbyname (ws2_32.dll)
- getaddrinfo (ws2_32.dll)
The trojan may set the following Registry entries:
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
- "Start Page" = "%variable1%"
- [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter]
- "Enabled" = 0
- "EnabledV8" = 0
- [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Privacy]
- "CleanCookies" = 0
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
- "1406" = 0
- "1609" = 0
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
- "1406" = 0
- "1609" = 0
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
- "1406" = 0
- "1609" = 0
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
- "1406" = 0
- "1609" = 0
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
- "1406" = 0
- "1609" = 0
The trojan can modify the following file:
- %firefoxprofilefolder%\user.js
The trojan writes the following entries to the file:
- user_pref("browser.startup.homepage", "%variable2%");
- user_pref("browser.startup.page", 1);
- user_pref("network.cookie.cookieBehavior", 0);
- user_pref("privacy.clearOnShutdown.cookies", false);
- user_pref("security.warn_viewing_mixed", false);
- user_pref("security.warn_viewing_mixed.show_once", false);
- user_pref("security.warn_submit_insecure", false);
- user_pref("security.warn_submit_insecure.show_once", false);
It contains the following text:
- Coded by BRIAN KREBS for personal use only. I love my job & wife.
A string with variable content is used instead of %variable1-2% .