TSPY_ZBOT.GTY
W32/Kryptik.HZ!tr (Fortinet), W32/Zbot.DF.gen!Eldorado (FProt), Trojan-Spy.Win32.Zbot (Ikarus), PWS:Win32/Zbot.gen!AF (Microsoft), Win32/Spy.Zbot.YW trojan (NOD32), Trojan.Zbot!gen27 (Norton), Gen:Variant.Zusy.410 (Bitdefender)
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Spyware
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It connects to certain URLs. It may do this to remotely inform a malicious user of its installation. It may also do this to download possibly malicious files onto the computer, which puts the computer at a greater risk of infection by other threats.
TECHNICAL DETAILS
Yes
04 Oct 2012
Arrival Details
This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This spyware drops and executes the following files:
- %Application Data%\{random folder name}\{random file name}.exe
- %User Temp%\TMP{random name}.bat
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)
Download Routine
This spyware connects to the following malicious URLs:
- {random}.biz
- {random}.com
- {random}.ru
- {random}.ru.local
- {random}.org
- {random}.info
- {random}.net
Other Details
This spyware connects to the following URL(s) to check for an Internet connection:
- http://www.bing.com
- http://www.google.com