TSPY_ZBOT.IMZ

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

However, as of this writing, the said sites are inaccessible.

Arrival Details

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This spyware drops the following files:

• %User Profile%\Application Data\{random letters 1}\{random letters}.exe - copy of itself
• %User Profile%\Application Data\{random letters 2}\{random letters}.{random letters} - encrypted file

(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

It creates the following folders:

• %User Profile%\Application Data\{random letters 1}
• %User Profile%\Application Data\{random letters 2}

(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

Autostart Technique

This spyware creates the following registry entries to enable automatic execution of dropped component at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{GUID} = "%User Profile%\Application Data\{random letters 1}\{random letters}.exe"

Other System Modifications

This spyware adds the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\
{random letters}

Information Theft

This spyware accesses the following site to download its configuration file:

• http://{BLOCKED}.{BLOCKED}9.232.7/memor/conf.bin

Other Details

However, as of this writing, the said sites are inaccessible.