TSPY_COMFRA.A
Trojan-Spy.Zbot (Ikarus)
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Spyware
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This spyware arrives as an attachment to email messages spammed by other malware/grayware or malicious users.
It executes then deletes itself afterward.
TECHNICAL DETAILS
72,192 bytes
EXE
27 May 2014
Arrival Details
This spyware arrives as an attachment to email messages spammed by other malware/grayware or malicious users.
Installation
This spyware drops the following copies of itself into the affected system:
- %Application Data%\Microsoft\{3 random char}{variable}.exe
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)
It executes then deletes itself afterward.
Autostart Technique
This spyware adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{3 random char}{variable}.exe = "%Application Data%\Microsoft\{3 random char}{variable}.exe"
Other System Modifications
This spyware adds the following registry keys:
HKEY_CURRENT_USER\Software\Microsoft\
Office\Common\{random key}
HKEY_CURRENT_USER\Software\Microsoft\
Office\Common\{random key}\
{random key}PS
HKEY_CURRENT_USER\Software\Microsoft\
Office\Common\{random key}\
{random key}RS
HKEY_CURRENT_USER\Software\Microsoft\
Office\Common\{random key}\
{random key}SS
It adds the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
GlobalUserOffline = "0"
Other Details
This spyware connects to the following possibly malicious URL:
- {BLOCKED}.{BLOCKED}.86.214:8080
- {BLOCKED}.{BLOCKED}.6:8080
- {BLOCKED}.{BLOCKED}.183.196:8080
- {BLOCKED}.{BLOCKED}.0.5:8080
- {BLOCKED}.{BLOCKED}.86.214:8080
- {BLOCKED}.{BLOCKED}.6:8080
- {BLOCKED}.{BLOCKED}.66.179:8080
- {BLOCKED}.{BLOCKED}.232.235:8080
- {BLOCKED}.{BLOCKED}.185.107:8080
- {BLOCKED}.{BLOCKED}.183.196:8080
- {BLOCKED}.{BLOCKED}.210.86:8080
- {BLOCKED}.{BLOCKED}.0.5:8080
- {BLOCKED}.{BLOCKED}.156.20:8080
- {BLOCKED}.{BLOCKED}.62.18:8080
- {BLOCKED}.{BLOCKED}.191.158:8080
NOTES:
where variable is any of the following:
- windows
- video
- update
- system
- sock
- share
- setup
- serial
- mgr32
- error
- edit32
- crypt
- config
- common
- cap32
- boot
- bios
- audio
- api32