TSPY_ZBOT.MTO

This spyware arrives as an attachment to email messages spammed by other malware/grayware or malicious users. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes then deletes itself afterward. It is injected into all running processes to remain memory resident.

It modifies Internet Explorer security settings. This puts the affected computer at greater risk, as it allows malicious URLs to be accessed by the computer.

Arrival Details

This spyware arrives as an attachment to email messages spammed by other malware/grayware or malicious users.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This spyware drops the following files:

• %Application Data%\{random folder 2}\{random file name 2}.{random extension name}
• %Application Data%\{random folder 3}\{random file name 3}.{random extension name}

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

It drops the following copies of itself into the affected system:

• %Application Data%\{random folder 1}\{random file name 1}.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

It creates the following folders:

• %Application Data%\{random folder 1}
• %Application Data%\{random folder 2}
• %Application Data%\{random folder 3}

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

It executes then deletes itself afterward.

It is injected into all running processes to remain memory resident.

Autostart Technique

This spyware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random} = "%Application Data%\{random folder 1}\{random file name 1}.exe"

Other System Modifications

This spyware adds the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\
{random key}

Web Browser Home Page and Search Page Modification

This spyware modifies Internet Explorer zone settings.

Download Routine

This spyware connects to the following website(s) to download and execute a malicious file:

• http://{BLOCKED}et-nord.de/pics/coconutsp2.exe

It saves the files it downloads using the following names:

• %User Profile%\coconutsp2.exe - TROJ_INJECT.SMMO

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

Stolen Information

This spyware sends the gathered information via HTTP POST to the following URL:

• http://{BLOCKED}lowb.org/coconut/header.php
• http://{BLOCKED}an.org/coconut/footer.php

NOTES:

It may also gather the following information from the affected system:

• Data on cookie files (URLs)
• Email-related information such as account names, email addresses, passwords, server data, and server port
• Email information stored in the user's Windows Address Book (WAB) file

It continuously connects to a randomly-generated and non-existing site:

• http://{random}.com/{random}/{random}.php