W32/Zbot
Threat risk
|
Detection files published:
|
Description created:
2009-11-20 |
Description updated:
2009-11-20 |
|
Alias:
Trojan.Zbot!gen, Trojan-Spy.Win32.Zbot.gen, Mal/Zbot-O, Mal/EncPk-CZ, PWS:Win32/Zbot.M |
Spreading mechanism
| |
|
Payload:
| ||
Summary
Zbots are trojans designed to gather potential information from the compromised computer. These trojans are designed to gather banking information from infected systems and return this information to a remote attacker. The trojans may also install a rootkit on the infected system and accept commands from remote attackers.
Threat description
On execution it copies itself into %windir%\system32 location and sets the file time as ntdll.dll file time. The file randomizes on execution by using GetTickCount API and gets the number of bytes to be added in the file to make its MD5 randomized. This file kills outpost.exe which is Outpost Personal Firewall and zlclient.exe from Zone Alarm Firewall if they are running.
This trojan appends its path to userinit in registry so that it can run on every system reboot.
Installation
- As the malware get executed, it copies itself into the following location: %system%wbem\csrss.exe
- Sets the value “CSRSS” in the registry key “Run”
- Injects into ”Winlogon” with value “userinit” in order to start itself on every system start and then creates a folder named twain32 or lowsec which depends on the variant.
- svchost.exe is also injected with depending on the lowest PID it possesses, which is responsible for downloading configuration file and uploading information gathered (user credentials) from the host to remote server.
- Creates mutexes and named pipes for inter-process communication.
- There are several variants which had shown up and they might create either one of ntos.exe or twex.exe or sdra64.exe or userinit.exe in %system32% location (one of the main component of this family).
Sandbox analysis
[ DetectionInfo ]
* Filename: C:\Documents and Settings\norman\Desktop\0337f3917acac5839622d0a1cad0c8be.exe.
* Sandbox name: .
* Signature name: NOT_SCANNED.
* Compressed: NO.
* TLS hooks: NO.
* Executable type: Application.
* Executable file structure: OK.
* Filetype: PE_I386.
[ General information ]
* File length: 77030 bytes.
* MD5 hash: 0337f3917acac5839622d0a1cad0c8be.
[ Changes to filesystem ]
* Creates directory C:\WINDOWS\system32\wbem\.
* Creates file C:\WINDOWS\system32\n.ini.
[ Process/window information ]
* Creates a mutex dedf52.
* Creates a mutex tgfhfgh6772.
Removal
General information about removal of malicious software
Norman's antivirus products are in general able to remove all malicious software that is detected.
Some malware, however, uses techniques that the general product does not remove sufficiantly. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below - if your Norman antivirus is unable to clean-up the infection.
| Usage | Title | Comment |
|---|---|---|
| Stopping network share infectors | ||
| Cleaning of back-up folders on Windows Me and XP |
