TROJ_ZBOT.BUO
Microsoft : PWS:Win32/Zbot.gen!W
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Spyware
Destructiveness: No
Encrypted: No
In the wild: Yes
TECHNICAL DETAILS
95,232 bytes
EXE
Yes
06 Jun 2009
Drops files, Creates files
Installation
This spyware drops the following files:
- %System%\lowsec\local.ds
- %System%\lowsec\user.ds.lll
- %System%\lowsec\user.ds
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
It drops the following copies of itself into the affected system:
- %System%\sdra64.exe
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
It creates the following folders:
- %System%\lowsec
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
Autostart Technique
This spyware modifies the following registry entry(ies) to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Userinit = %System%\userinit.exe,%System%\sdra64.exe,
(Note: The default value data of the said registry entry is %System%\userinit.exe,.)
Other System Modifications
This spyware adds the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
EnableFirewall = "0"
Information Theft
This spyware accesses the following site to download its configuration file:
- http://{BLOCKED}n.com/hcfg/habl.bin