TSPY_ZBOT.ZXC

Ändert Registrierungseinträge, um bei jedem Systemstart automatisch ausgeführt zu werden.

Infektionspunkte

Gelangt auf das System in Form einer Datei, die von den folgenden URLs heruntergeladen wurde:

• http://{BLOCKED}.ru/sloader/updates/own/file.exe

Installation

Schleust Kopien von sich selbst in den Windows Systemordner ein und hängt bedeutungslose Codefragmente (so genannten Garbage-Code) an die Datei an, um eine leichte Erkennung zu verhindern. Die eingeschleusten Kopien verwenden die folgenden Dateinamen:

• sdra64.exe

Erstellt die folgenden Ordner und legt für diese die Attribute System und Versteckt fest, um zu verhindern, dass die darin befindlichen Komponenten von Benutzern entdeckt und entfernt werden:

• %System%\lowsec

(Hinweis: %System% ist der Windows Systemordner. Er lautet in der Regel C:\Windows\System unter Windows 98 und ME, C:\WINNT\System32 unter Windows NT und 2000 sowie C:\Windows\System32 unter Windows XP und Server 2003.)

Schleust die folgenden Dateien ein:

• %System%\lowsec\local.ds
• %System%\lowsec\user.ds

(Hinweis: %System% ist der Windows Systemordner. Er lautet in der Regel C:\Windows\System unter Windows 98 und ME, C:\WINNT\System32 unter Windows NT und 2000 sowie C:\Windows\System32 unter Windows XP und Server 2003.)

Bleibt speicherresident, indem Code in folgende Prozesse injiziert wird:

• SVCHOST.EXE
• WINLOGON.EXE

Autostart-Technik

Ändert die folgenden Registrierungseinträge, um bei jedem Systemstart automatisch ausgeführt zu werden:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Userinit = "%System%\userinit.exe, %System%\sdra64.exe,"

(Note: The default value data of the said registry entry is %System%\userinit.exe,.)

Andere Systemänderungen

Fügt die folgenden Registrierungsschlüssel hinzu:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Network
UID = "{Computer name}_{Random numbers}"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
EnableFirewall = "0"

Datendiebstahl

Zielt auf die folgenden Websites ab:

• @*/login.osmp.ru/*@*/atl.osmp.ru/*!
• http://www.{BLOCKED}urity.com
• http://www.{BLOCKED}com
• http://www.{BLOCKED}s.com
• http://www.{BLOCKED}ender-Antivirus.co.uk
• http://www.{BLOCKED}uritySoftware.com
• http://www.{BLOCKED}Logic-Products-Download.com
• http://www.{BLOCKED}all.uk.com
• http://www.{BLOCKED}ree.com
• http://www.{BLOCKED}soft.com
• http://www.{BLOCKED}scan.com
• http://www.{BLOCKED}.com
• http://www.{BLOCKED}usa.com
• http://www.{BLOCKED}n.com
• http://www.{BLOCKED}ec.com
• http://www.{BLOCKED}onsecurity.com
• http://www.{BLOCKED}s.com
• http://www.{BLOCKED}rojan-software-reviews.com
• http://www.{BLOCKED}otkit.com
• http://www.{BLOCKED}rus-shop.biz
• http://www.{BLOCKED}rus.about.com
• http://www.{BLOCKED}rusworks.com
• http://www.{BLOCKED}rd.com
• http://www.{BLOCKED}t-shop.com
• http://www.{BLOCKED}t.com
• http://www.{BLOCKED}t.pl
• http://www.{BLOCKED}nsolutions.co.uk
• http://www.{BLOCKED}.com
• http://www.{BLOCKED}.fr
• http://www.{BLOCKED}.org
• http://www.{BLOCKED}guard.com
• http://www.{BLOCKED}com
• http://www.{BLOCKED}nder.com
• http://www.{BLOCKED}walls.com
• http://www.{BLOCKED}tivirus.de
• http://www.{BLOCKED}tivirus.eu
• http://www.{BLOCKED}rewall.de
• http://www.{BLOCKED}rewall.eu
• http://www.{BLOCKED}ternetsecurity.de
• http://www.{BLOCKED}ternetsecurity.eu
• http://www.{BLOCKED}m
• http://www.{BLOCKED}
• http://www.{BLOCKED}com
• http://www.{BLOCKED}-systems.com
• http://www.{BLOCKED}udanetworks.com
• http://www.{BLOCKED}uard.com
• http://www.{BLOCKED}t.com
• http://www.{BLOCKED}ender.com
• http://www.{BLOCKED}ender.de
• http://www.{BLOCKED}rsoft.com
• http://www.{BLOCKED}g
• http://www.{BLOCKED}re.com.au
• http://www.{BLOCKED}
• http://www.{BLOCKED}org
• http://www.{BLOCKED}t.com
• http://www.{BLOCKED}dc.fr
• http://www.{BLOCKED}cops.com
• http://www.{BLOCKED}lcommand.com
• http://www.{BLOCKED}rg
• http://www.{BLOCKED}oint.com
• http://www.{BLOCKED}ointworks.com
• http://www.{BLOCKED}e
• http://www.{BLOCKED}com
• http://www.{BLOCKED}uard.com
• http://www.{BLOCKED}.net
• http://www.{BLOCKED}.org
• http://www.{BLOCKED}n.com
• http://www.{BLOCKED}v.com
• http://www.{BLOCKED}om
• http://www.{BLOCKED}.com
• http://www.{BLOCKED}.net
• http://www.{BLOCKED}erbase.de
• http://www.{BLOCKED}erlinks.co.uk
• http://www.{BLOCKED}ershopper.com
• http://www.{BLOCKED}erwissen.de
• http://www.{BLOCKED}ersearch.com
• http://www.{BLOCKED}d.com
• http://www.{BLOCKED}re.blogspot.com
• http://www.{BLOCKED}re.com
• http://www.{BLOCKED}co.uk
• http://www.{BLOCKED}y.com
• http://www.{BLOCKED}efender.com
• http://www.{BLOCKED}nix.com
• http://www.{BLOCKED}nixworks.com
• http://www.{BLOCKED}la.com
• http://www.{BLOCKED}larmaments.com
• http://www.{BLOCKED}onic.net
• http://www.{BLOCKED}av.de
• http://www.{BLOCKED}online.com
• http://www.{BLOCKED}ue.com
• http://www.{BLOCKED}fender.com
• http://www.{BLOCKED}.com
• http://www.{BLOCKED}om
• http://www.{BLOCKED}ft.com
• http://www.{BLOCKED}ft.de
• http://www.{BLOCKED}riseav.com
• http://www.{BLOCKED}t
• http://www.{BLOCKED}h
• http://www.{BLOCKED}o.uk
• http://www.{BLOCKED}om
• http://www.{BLOCKED}om.au
• http://www.{BLOCKED}e
• http://www.{BLOCKED}u
• http://www.{BLOCKED}com
• http://www.{BLOCKED}.org
• http://www.{BLOCKED}net
• http://www.{BLOCKED}s.com
• http://www.{BLOCKED}.com
• http://www.{BLOCKED}.de
• http://www.{BLOCKED}re-estore.de
• http://www.{BLOCKED}re.co.uk
• http://www.{BLOCKED}re.com
• http://www.{BLOCKED}re.de
• http://www.{BLOCKED}re.pl
• http://www.{BLOCKED}reusa.com
• http://www.{BLOCKED}me.com
• http://www.{BLOCKED}mesecurity.com
• http://www.{BLOCKED}rg.uk
• http://www.{BLOCKED}ppo.com
• http://www.{BLOCKED}.com
• http://www.{BLOCKED}e.com
• http://www.{BLOCKED}llguide.com
• http://www.{BLOCKED}uardcenter.com
• http://www.{BLOCKED}et.com
• http://www.{BLOCKED}org
• http://www.{BLOCKED}v.com
• http://www.{BLOCKED}vg.com
• http://www.{BLOCKED}web.com
• http://www.{BLOCKED}v.com
• http://www.{BLOCKED}software.com
• http://www.{BLOCKED}de
• http://www.{BLOCKED}oftware.co.uk
• http://www.{BLOCKED}oftware.com
• http://www.{BLOCKED}m
• http://www.{BLOCKED}rd.com
• http://www.{BLOCKED}hauri.com
• http://www.{BLOCKED}ntec.com
• http://www.{BLOCKED}eb.co.uk
• http://www.{BLOCKED}t.cz
• http://www.{BLOCKED}ense.com
• http://www.{BLOCKED}ite.com
• http://www.{BLOCKED}ft.com.pe
• http://www.{BLOCKED}net
• http://www.{BLOCKED}
• http://www.{BLOCKED}irus.com
• http://www.{BLOCKED}m
• http://www.{BLOCKED}se.com
• http://www.{BLOCKED}-software.at
• http://www.{BLOCKED}.at
• http://www.{BLOCKED}c.co.uk
• http://www.{BLOCKED}curity-us.com
• http://www.{BLOCKED}curitycanada.com
• http://www.{BLOCKED}curityevent.com
• http://www.{BLOCKED}curityproject.com
• http://www.{BLOCKED}chworks.com
• http://www.{BLOCKED}y.com
• http://www.{BLOCKED}rtstore.com
• http://www.{BLOCKED}otector.com
• http://www.{BLOCKED}.com
• http://www.{BLOCKED}arereviews.com
• http://www.{BLOCKED}erver.com
• http://www.{BLOCKED}ews.co.uk
• http://www.{BLOCKED}dcanada.com
• http://www.{BLOCKED}olsoftware.com
• http://www.{BLOCKED}org
• http://www.{BLOCKED}uting.com
• http://www.{BLOCKED}rotection.com
• http://www.{BLOCKED}sky-labs.com
• http://www.{BLOCKED}sky.com
• http://www.{BLOCKED}mag.com
• http://www.{BLOCKED}ft.com
• http://www.{BLOCKED}ft.de
• http://www.{BLOCKED}tech.com
• http://www.{BLOCKED}ion.com
• http://www.{BLOCKED}l.com
• http://www.{BLOCKED}l8e6.com
• http://www.{BLOCKED}-center.de
• http://www.{BLOCKED}-online.com
• http://www.{BLOCKED}.com
• http://www.{BLOCKED}asap.com
• http://www.{BLOCKED}help.com
• http://www.{BLOCKED}store.com
• http://www.{BLOCKED}oft.com
• http://www.{BLOCKED}net
• http://www.{BLOCKED}c.com
• http://www.{BLOCKED}works.com
• http://www.{BLOCKED}ust.com
• http://www.{BLOCKED}ee.ch
• http://www.{BLOCKED}ft.com
• http://www.{BLOCKED}curity.org
• http://www.{BLOCKED}r.com
• http://www.{BLOCKED}rworks.com
• http://www.{BLOCKED}kassociates.co.za
• http://www.{BLOCKED}kworld.com
• http://www.{BLOCKED}lt.de
• http://www.{BLOCKED}visor.com
• http://www.{BLOCKED}tware.com
• http://www.{BLOCKED}ch
• http://www.{BLOCKED}hop.de
• http://www.{BLOCKED}.com
• http://www.{BLOCKED}-online.com
• http://www.{BLOCKED}.com
• http://www.{BLOCKED}tonetworks.com
• http://www.{BLOCKED}tonetworks.jp
• http://www.{BLOCKED}software.de
• http://www.{BLOCKED}nsight.com
• http://www.{BLOCKED}abs.com
• http://www.{BLOCKED}ecurity.com
• http://www.{BLOCKED}oftware.ch
• http://www.{BLOCKED}logic.com
• http://www.{BLOCKED}anage.com
• http://www.{BLOCKED}ls.net
• http://www.{BLOCKED}sor.co.uk
• http://www.{BLOCKED}virusreviews.com
• http://www.{BLOCKED}ro.com
• http://www.{BLOCKED}nde.de
• http://www.{BLOCKED}com
• http://www.{BLOCKED}s.com
• http://www.{BLOCKED}.de
• http://www.{BLOCKED}trol.com
• http://www.{BLOCKED}otector.com
• http://www.{BLOCKED}com
• http://www.{BLOCKED}rabber.co.uk
• http://www.{BLOCKED}ve.com
• http://www.{BLOCKED}veworks.com
• http://www.{BLOCKED}re.com
• http://www.{BLOCKED}eal.co.in
• http://www.{BLOCKED}m
• http://www.{BLOCKED}-global.com
• http://www.{BLOCKED}t.com
• http://www.{BLOCKED}usesoftware.com
• http://www.{BLOCKED}.com
• http://www.{BLOCKED}fender.com
• http://www.{BLOCKED}fe.com
• http://www.{BLOCKED}nse.com
• http://www.{BLOCKED}zineus.com
• http://www.{BLOCKED}nt.com
• http://www.{BLOCKED}ctive.fr
• http://www.{BLOCKED}ctive.net
• http://www.{BLOCKED}computing.com
• http://www.{BLOCKED}computing.stanford.edu
• http://www.{BLOCKED}works.com
• http://www.{BLOCKED}ty-forums.com
• http://www.{BLOCKED}tybay.co.uk
• http://www.{BLOCKED}tyfocus.com
• http://www.{BLOCKED}tysoft.com
• http://www.{BLOCKED}tysoftwarezone.com
• http://www.{BLOCKED}a.com
• http://www.{BLOCKED}et
• http://www.{BLOCKED}x.com
• http://www.{BLOCKED}are.net
• http://www.{BLOCKED}ic.com
• http://www.{BLOCKED}ic.de
• http://www.{BLOCKED}dia.com
• http://www.{BLOCKED}a.com
• http://www.{BLOCKED}uard.com
• http://www.{BLOCKED}all.com
• http://www.{BLOCKED}.com
• http://www.{BLOCKED}.de
• http://www.{BLOCKED}benelux.com
• http://www.{BLOCKED}ghter.com
• http://www.{BLOCKED}us.org
• http://www.{BLOCKED}m
• http://www.{BLOCKED}views.com
• http://www.{BLOCKED}os.com
• http://www.{BLOCKED}tblog.blogspot.com
• http://www.{BLOCKED}tsoftware.com
• http://www.{BLOCKED}ec-norton.com
• http://www.{BLOCKED}ec.com
• http://www.{BLOCKED}ecstore.com
• http://www.{BLOCKED}pportalert.com
• http://www.{BLOCKED}expert.com
• http://www.{BLOCKED}fire.com
• http://www.{BLOCKED}gpoint.com
• http://www.{BLOCKED}reviews.com
• http://www.{BLOCKED}icro.com
• http://www.{BLOCKED}ecure.com
• http://www.{BLOCKED}er-board.de
• http://www.{BLOCKED}dsource.org
• http://www.{BLOCKED}.com
• http://www.{BLOCKED}du
• http://www.{BLOCKED}le.com
• http://www.{BLOCKED}gn.com
• http://www.{BLOCKED}m.au
• http://www.{BLOCKED}i.com
• http://www.{BLOCKED}ntivirus.com
• http://www.{BLOCKED}chutz.info
• http://www.{BLOCKED}lgraffiti.com
• http://www.{BLOCKED}protect.org
• http://www.{BLOCKED}fi
• http://www.{BLOCKED}tn.com
• http://www.{BLOCKED}ill.co.uk
• http://www.{BLOCKED}ogic.com
• http://www.{BLOCKED}otal.com
• http://www.{BLOCKED}uard.com
• http://www.{BLOCKED}uard.com.au
• http://www.{BLOCKED}com
• http://www.{BLOCKED}t.com
• http://www.{BLOCKED}t.de
• http://www.{BLOCKED}se.com
• http://www.{BLOCKED}r.co.uk
• http://www.{BLOCKED}astlabs.com
• http://www.{BLOCKED}esecurity.com
• http://www.{BLOCKED}ssecurity.com
• http://www.{BLOCKED}ssecurity.net
• http://www.{BLOCKED}ssecurity.org
• http://www.{BLOCKED}s-tricks.com
• http://www.{BLOCKED}security.com
• http://www.{BLOCKED}co.uk
• http://www.{BLOCKED}de
• http://www.{BLOCKED}co.uk
• http://www.{BLOCKED}uard.com
• https://banking.*.de/cgi/ueberweisung.cgi/*
• https://internetbanking.gad.de/banking/*
• https://www.citibank.de/*/jba/mp#/SubmitRecap.do

Versucht, Daten von den folgenden Banken und/oder anderen Geldinstituten zu entwenden:

• Citibank
• GAD
• Microsoft
• OSPM
• Raiffeisen
• 8e6security
• 9down
• AppLabs
• BitDefender-Antivirus
• CA-SecuritySoftware
• ParetoLogic-Products-Download
• Sonicwall
• WorryFree
• abylonsoft
• activescan
• ahnlab
• ahnlabusa
• aladdin
• alertsec
• alwaysonsecurity
• ancoris
• anti-trojan-software-reviews
• antirootkit
• antivirus-shop
• antivirusworks
• apcguard
• arcabit
• arcabit-shop
• arcabit
• ashdownsolutions
• astaro
• astaro
• astaro
• astaroguard
• avast
• avdefender
• avfirewalls
• avg
• avg-antivirus
• avg-antivirus
• avg-firewall
• avg-firewall
• avg-internetsecurity
• avg-internetsecurity
• avira
• aztech-systems
• barracudanetworks
• barraguard
• becrypt
• bitdefender
• brothersoft
• bsa
• CA
• caast
• caisoft
• calyx-dc
• castlecops
• centralcommand
• cert
• checkpoint
• checkpointworks
• chip
• cisco
• ciscoguard
• clamav
• clamav
• clamwin
• clamxav
• cnet
• comodo
• computerbase
• computerlinks
• computershopper
• computerwissen
• consumersearch
• cpguard
• cpsecure
• cryer
• crypkey
• cyberdefender
• cymphonix
• cymphonixworks
• damballa
• digitalarmaments
• digitronic
• drweb-av
• drweb-online
• edgeblue
• edgedefender
• edgeos
• eeye
• emsisoft
• enterpriseav
• eset
• esoft
• etrust
• ewido
• explabs
• f-prot
• f-secure
• f-secure-estore
• f-secure
• f-secureusa
• facetime
• facetimesecurity
• fast
• filehippo
• finjan
• fireeye
• firewallguide
• fortiguardcenter
• fortinet
• fprot
• free-av
• freedrweb
• freerav
• gdata
• gdata-software
• gdatasoftware
• gfi
• gfiguard
• globalhauri
• gosymantec
• greatweb
• grisoft
• guardsense
• guardsite
• hacksoft
• hauri
• hp
• iantivirus
• ibm
• idefense
• ikarus-software
• ikarus
• infosec
• infosecurity-us
• infosecuritycanada
• infosecurityevent
• infosecurityproject
• ipswitchworks
• ironkey
• ironportstore
• ironprotector
• isc365
• isoftwarereviews
• it-observer
• itreviews
• itworldcanada
• javacoolsoftware
• jotti
• k7computing
• k9webprotection
• kaspersky
• kaspersky-labs
• laptopmag
• lavasoft
• layer7tech
• lumension
• marshal
• marshal8e6
• mcafee
• mcafee-center
• mcafee-online
• mcafeeasap
• mcafeehelp
• mcafeestore
• microsoft
• misec
• mxlogic
• mxmailworks
• my-etrust
• mymcafee
• nestsoft
• net-security
• netgear
• netgearworks
• networkassociates
• networkworld
• netzwelt
• nextadvisor
• ngssoftware
• nod32
• nod32shop
• norman
• norton
• norton-online
• paloaltonetworks
• paloaltonetworks
• panda-software
• pandainsight
• pandalabs
• pandasecurity
• pandasoftware
• paretologic
• patchmanage
• pc-tools
• pcadvisor
• pcantivirusreviews
• pcdocpro
• pcfreunde
• pcmag
• pctools
• pcwelt
• pestpatrol
• portprotector
• prevx
• pricegrabber
• procurve
• procurveworks
• purewire
• quickheal
• rbc
• rising-global
• rootkit
• safehousesoftware
• safend
• scandefender
• scansafe
• scdefense
• scmagazineus
• secpoint
• securactive
• securactive
• securecomputing
• secureworks
• security-forums
• securitybay
• securityfocus
• securitysoft
• securitysoftwarezone
• siia
• sofotex
• soft-ware
• softonic
• softpedia
• softsea
• sonicguard
• sonicwall
• sophos
• sophosbenelux
• spamfighter
• spamhaus
• spn
• starreviews
• steganos
• sunbeltsoftware
• symantec
• symantec-norton
• symantecstore
• techsupportalert
• threatexpert
• threatfire
• tippingpoint
• toptenreviews
• trendmicro
• trendsecure
• trojaner-board
• trustedsource
• tucows
• ucsb
• untangle
• verisign
• vet
• vipreantivirus
• virenschutz
• virtualgraffiti
• virus-protect
• virus
• virusbtn
• viruskill
• viruslogic
• virustotal
• watchguard
• webex
• webroot
• websense
• webuser
• westcoastlabs
• wideeyesecurity
• wilderssecurity
• wilderssecurity
• windows-tricks
• windowsecurity
• zdnet
• zyxel
• zyxelguard

Beachten Sie, dass der Inhalt der Datei, d. h. die Liste der zu überwachenden Websites, jederzeit geändert werden kann.