TSPY_ZBOT.KOP

 Analysis by: Jasen Sumalapao

 ALIASES:

PWS:Win32/Zbot (Microsoft), Trojan-Spy.Win32.Zbot.cooi (Kaspersky), Infostealer.Banker.C (Symantec), PWS-Zbot.gen.mv (NAI), Mal/EncPk-JU (Sophos), Gen:Variant.Kazy.44383 (FSecure), Trojan.Win32.Generic!BT (Sunbelt), TR/Dropper.Gen (Antivir), Gen:Variant.Kazy.44383 (Bitdefender), Trojan.Banker-1295 (Clamav), W32/Zbot.YW!tr.spy (Fortinet), Trojan-PWS.Win32.Zbot (Ikarus), Win32/Spy.Zbot.YW trojan (NOD32), TrojanSpy.Zbot.cooi (VBA32)

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 REPORTED INFECTION:
 SYSTEM IMPACT RATING:
 INFORMATION EXPOSURE:

  • Threat Type: Spyware

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It modifies the Internet Explorer Zone Settings.

However, due to errors in its code, it fails to perform its intended routine.

  TECHNICAL DETAILS

File Size:

113,664 bytes

File Type:

EXE

Initial Samples Received Date:

03 Sep 2012

Arrival Details

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This spyware drops a copy of itself in the following folders using different file names:

  • %User Profile%\Application Data\{Random Folder 1}\{Random Filename}.exe

(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

It drops the following component file(s):

  • %User Profile%\Application Data\(Random Folder 2)\{Random Filename and Extension}
  • %User Profile%\Application Data\(Random Folder 3)\{Random Filename and Extension}

(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

It adds the following processes:

  • %System%\net.exe
  • %System%\net1.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It creates the following folders:

  • %User Profile%\Application Data\{Random Folder 1}
  • %User Profile%\Application Data\{Random Folder 2}
  • %User Profile%\Application Data\{Random Folder 3}

(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

Web Browser Home Page and Search Page Modification

This spyware modifies the Internet Explorer Zone Settings.

Other Details

However, due to errors in its code, it fails to perform its intended routine.