TSPY_ZBOT.TYZAX

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It modifies the Internet Explorer Zone Settings.

Arrival Details

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This spyware drops the following copies of itself into the affected system and executes them:

• %Application Data%\{Random Folder1}\{Random File}.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

It drops the following files:

• %Application Data%\{Random Folder2}\{Random Filename}.{Random Extension}

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

It drops the following non-malicious file:

• %Application Data%\Microsoft\Address Book\winxp.wab

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

It creates the following folders:

• %Application Data%\{Random Folder1}
• %Application Data%\{Random Folder2}
• %Application Data%\Microsoft\Address Book

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

Autostart Technique

This spyware adds the following registry entries to enable its automatic execution at every system startup:

KEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{Malware Filename} = "%Application Data%\{Random Folder1}\{Random Filename}.exe"

Other System Modifications

This spyware adds the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\
{Random Key}

HKEY_CURRENT_USER\Software\Microsoft\
WAB

HKEY_CURRENT_USER\Software\Microsoft\
WAB\WAB4

HKEY_CURRENT_USER\Software\Microsoft\
WAB\WAB4\Wab File Name

HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager

It adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
WAB\WAB4
OlkContactRefresh = "0"

HKEY_CURRENT_USER\Software\Microsoft\
WAB\WAB4
OlkFolderRefresh = "0"

HKEY_CURRENT_USER\Software\Microsoft\
WAB\WAB4
FirstRun = "1"

HKEY_CURRENT_USER\Software\Microsoft\
{Random Key}
{Random Name1} = "{Random Value}"

HKEY_CURRENT_USER\Software\Microsoft\
{Random Key}
{Random Name2} = "{Random Value}"

HKEY_CURRENT_USER\Software\Microsoft\
{Random Key}
{Random Name3} = "{Random Value}"

Web Browser Home Page and Search Page Modification

This spyware modifies the Internet Explorer Zone Settings.

Download Routine

This spyware connects to the following website(s) to download and execute a malicious file:

• https://5.39.222.133/css/css.php?d=1

It saves the files it downloads using the following names:

• %User Temp%\tmp81eb33a7.exe

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

Other Details

This spyware connects to the following URL(s) to check for an Internet connection:

• http://www.google.com/webhp

It connects to the following possibly malicious URL:

• https://{BLOCKED}it.{BLOCKED}e.pl/images/1.jpg