search

TSPY_ZBOT.OET

February 01, 2013
 Modified by: Anthony Joe Melgarejo
 ALIASES:

VirTool:Win32/Injector.gen!AB (Microsoft), Trojan.Ransomlock.P, Generic Dropper!1yf (McAfee), Win.Trojan.Dropper-18 (ClamAV), W32/MDrop.ENE!tr (Fortinet), W32/Trojan3.EAV (F-Prot), Win32/Trustezeb.C trojan (ESET)

 PLATFORM:

Windows 2000, Windows Server 2003., Windows XP (32-bit and 64-bit), Windows Vista (32-bit and 64-bit), Windows 7 (32-bit and 64-bit)

 OVERALL RISK RATING:
 REPORTED INFECTION:
 SYSTEM IMPACT RATING:
 INFORMATION EXPOSURE:

  • Threat Type: Spyware

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW


This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It deletes itself after execution.

  TECHNICAL DETAILS

File Size:

57,856 bytes

File Type:

EXE

Memory Resident:

Yes

Initial Samples Received Date:

18 Sep 2012

Arrival Details

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This spyware drops the following copies of itself into the affected system:

  • %User Temp%\{random folder name}\{random file name}.exe
  • %User Profile%\{random folder name}\{random file name}.exe
  • %Application Data%\{random folder name}\{random file name}.exe
  • %System Root%\{random folder name}\{random file name}.exe

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.. %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It creates the following folders:

  • %User Temp%\{random folder name}
  • %User Profile%\{random folder name}
  • %Application Data%\{random folder name}
  • %System Root%\{random folder name}

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.. %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

Autostart Technique

This spyware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random letters} = "{folder/directory used}\{random folder name}\{random file name}.exe"

Other Details

This spyware connects to the following possibly malicious URL:

  • http://www.{BLOCKED}u.com/ld/a.php
  • http://www.{BLOCKED}amj.com/ld/a.php
  • http://www.{BLOCKED}a-list.com/ld/a.php
  • http://www.{BLOCKED}ure.com/ld/a.php
  • http://www.{BLOCKED}hop.com/ld/a.php

It deletes itself after execution.

NOTES:

It only drops one copy of itself. It chooses from the ones stated above.

{directory/folder used} is where the malware chose to drop its copy.