TSPY_ZBOT.WEY

This spyware attempts to steal information, such as user names and passwords, used when logging into certain banking or finance-related websites.

Arrival Details

This spyware may be downloaded from the following remote sites:

• http://{BLOCKED}rt.com/zz/bot.exe

Installation

This spyware adds the following folders:

• %Application Data%\{random1}
• %Application Data%\{random2}

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

It injects itself into the following processes running in the affected system's memory:

• explorer.exe
• taskhost.exe
• taskeng.exe
• Dwm.exe
• wscntfy.exe
• ctfmon.exe
• rdpclip.exe

Autostart Technique

This spyware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{GUID of mount point of %Windows%} = %Application Data%\{random1}\{random}.exe

It drops the following files:

• %Application Data%\{random1}\{random}.exe - copy of itself
• %Application Data%\{random2}\{random} - contains encrypted stolen data

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

Other System Modifications

This spyware adds the following registry keys as part of its installation routine:

HKEY_CURRENT_USER\Software\Microsoft
{random} =

It creates the following registry entry(ies) to bypass Windows Firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%WINDOWS%\\EXPLORER.EXE = %WINDOWS%\EXPLORER.EXE:*:Enabled:Windows Explorer

Information Theft

This spyware monitors the Internet Explorer (IE) activities of the affected system, specifically the address bar or title bar. It recreates a legitimate website with a spoofed login page if a user visits banking sites with the following strings in the address bar or title bar:

• *.ebay.com/*eBayISAPI.dll?*
• *//mail.yandex.ru/
• *//mail.yandex.ru/index.xml
• *//money.yandex.ru/
• *//money.yandex.ru/index.xml
• */atl.osmp.ru/*
• */login.osmp.ru/*
• */my.ebay.com/*CurrentPage=MyeBayPersonalInfo*
• *banquepopulaire.fr/*
• *wellsfargo.com/*
• http://*.osmp.ru/
• http://caixasabadell.net/banca2/tx0011/0011.jsp
• http://www.hsbc.co.uk/1/2/personal/internet-banking*
• https://areasegura.banif.es/bog/bogbsn*
• https://banca.cajaen.es/Jaen/INclient.jsp
• https://bancaonline.openbank.es/servlet/PProxy?*
• https://bancopostaonline.poste.it/bpol/bancoposta/formslogin.asp
• https://banesnet.banesto.es/*/loginEmpresas.htm
• https://banking*.anz.com/*
• https://cardsonline-consumer.com/RBSG_Consumer/VerifyLogin.do
• https://carnet.cajarioja.es/banca3/tx0011/0011.jsp
• https://easyweb*.tdcanadatrust.com/servlet/*FinancialSummaryServlet*
• https://empresas.gruposantander.es/WebEmpresas/servlet/webempresas.servlets.*
• https://extranet.banesto.es/*/loginParticulares.htm
• https://extranet.banesto.es/npage/OtrosLogin/LoginIBanesto.htm
• https://hb.quiubi.it/newSSO/x11logon.htm
• https://home.cbonline.co.uk/login.html*
• https://home.ybonline.co.uk/login.html*
• https://home.ybonline.co.uk/ral/loginmgr/*
• https://home2ae.cd.citibank.ae/CappWebAppAE/producttwo/capp/action/signoncq.do
• https://ibank.barclays.co.uk/olb/x/LoginMember.do
• https://ibank.internationalbanking.barclays.com/logon/icebapplication*
• https://intelvia.cajamurcia.es/2043/entrada/01entradaencrip.htm
• https://internetbanking.aib.ie/hb1/roi/signon
• https://light.webmoney.ru/default.aspx
• https://lot-port.bcs.ru/names.nsf?#ogin*
• https://montevia.elmonte.es/cgi-bin/INclient_2098*
• https://oi.cajamadrid.es/CajaMadrid/oi/pt_oi/Login/login
• https://oie.cajamadridempresas.es/CajaMadrid/oie/pt_oie/Login/login_oie_1
• https://olb2.nationet.com/MyAccounts/frame_MyAccounts_WP2.asp*
• https://olb2.nationet.com/signon/signon*
• https://online*.lloydstsb.co.uk/logon.ibc
• https://online-business.lloydstsb.co.uk/customer.ibc
• https://online-offshore.lloydstsb.com/customer.ibc
• https://online.wamu.com/Servicing/Servicing.aspx?targetPage=AccountSummary
• https://online.wellsfargo.com/das/cgi-bin/session.cgi*
• https://online.wellsfargo.com/login*
• https://online.wellsfargo.com/signon*
• https://onlinebanking#.wachovia.com/myAccounts.aspx?referrer=authService
• https://onlinebanking.nationalcity.com/OLB/secure/AccountList.aspx
• https://onlineeast#.bankofamerica.com/cgi-bin/ias/*/GotoWelcome
• https://pastornetparticulares.bancopastor.es/SrPd*
• https://privati.internetbanking.bancaintesa.it/sm/login/IN/box_login.jsp
• https://probanking.procreditbank.bg/main/main.asp*
• https://resources.chase.com/MyAccounts.aspx
• https://rupay.com/index.php
• https://scrigno.popso.it*
• https://web.da-us.citibank.com/*BS_Id=MemberHomepage*
• https://web.da-us.citibank.com/cgi-bin/citifi/portal/l/autherror.do*
• https://web.da-us.citibank.com/cgi-bin/citifi/portal/l/l.do
• https://web.secservizi.it/siteminderagent/forms/login.fcc
• https://welcome23.smile.co.uk/SmileWeb/start.do
• https://welcome27.co-operativebank.co.uk/CBIBSWeb/start.do
• https://www#.citizensbankonline.com/*/index-wait.jsp
• https://www#.usbank.com/internetBanking/LoginRouter
• https://www*.banking.first-direct.com/1/2/*
• https://www.53.com/servlet/efsonline/index.html*
• https://www.bancajaproximaempresas.com/ControlEmpresas*
• https://www.bancoherrero.com/es/*
• https://www.bbvanetoffice.com/local_bdno/login_bbvanetoffice.html
• https://www.bgnetplus.com/niloinet/login.jsp
• https://www.caixagirona.es/cgi-bin/INclient_2030*
• https://www.caixalaietana.es/cgi-bin/INclient_2042
• https://www.caixaontinyent.es/cgi-bin/INclient_2045
• https://www.caixatarragona.es/esp/sec_1/oficinacodigo.jsp
• https://www.caja-granada.es/cgi-bin/INclient_2031
• https://www.cajabadajoz.es/cgi-bin/INclient_6010*
• https://www.cajacanarias.es/cgi-bin/INclient_6065
• https://www.cajacirculo.es/ISMC/Circulo/acceso.jsp
• https://www.cajadeavila.es/cgi-bin/INclient_6094
• https://www.cajalaboral.com/home/acceso.asp
• https://www.cajasoldirecto.es/2106/*
• https://www.cajavital.es/Appserver/vitalnet*
• https://www.ccm.es/cgi-bin/INclient_6105
• https://www.citibank.de*
• https://www.clavenet.net/cgi-bin/INclient_7054
• https://www.dab-bank.com*
• https://www.e-gold.com/acct/balance.asp*
• https://www.e-gold.com/acct/li.asp
• https://www.ebank.hsbc.co.uk/main/IBLogon.jsp
• https://www.fibancmediolanum.es/BasePage.aspx*
• https://www.gruposantander.es/*
• https://www.gruposantander.es/bog/sbi*?ptns=acceso*
• https://www.gruppocarige.it/grps/vbank/jsp/login.jsp
• https://www.halifax-online.co.uk/MyAccounts/MyAccounts.aspx*
• https://www.halifax-online.co.uk/_mem_bin/*
• https://www.halifax-online.co.uk/_mem_bin/formslogin.asp*
• https://www.isbank.com.tr/Internet/ControlLoader.aspx*
• https://www.isideonline.it/relaxbanking/sso.Login*
• https://www.iwbank.it/private/index_pub.jhtml*
• https://www.mybank.alliance-leicester.co.uk/login/*
• https://www.nwolb.com/Login.asp*
• https://www.nwolb.com/Login.aspx*
• https://www.paypal.com/*/webscr?cmd=_account
• https://www.paypal.com/*/webscr?cmd=_login-done*
• https://www.rbsdigital.com/Login.asp*
• https://www.sabadellatlantico.com/es/*
• https://www.suntrust.com/portal/server.pt*parentname=Login*
• https://www.unicaja.es/PortalServlet*
• https://www.uno-e.com/local_bdnt_unoe/Login_unoe2.html
• https://www.us.hsbc.com/*
• https://www.wellsfargo.com/*
• https://www2.bancopopular.es/AppBPE/servlet/servin*

It accesses the following site to download its configuration file:

• http://{BLOCKED}rt.com/zz/config.bin

It attempts to steal information from the following banks and/or other financial institutions:

• AIB
• ANZ
• Alliance & Leicester
• BBVA
• BG Net Plus
• Banca Intesa
• Bancaja
• Banco Herrero
• Banco Pastor
• Banco Popular
• Banesto
• Banif
• Bank of America
• Banque Populaire
• Barclays
• BrokerCreditService
• CCM
• Caixa Girona
• Caixa Laietana
• Caixa Ontinyent
• Caixa Sabadell
• Caixa Tarragona
• Caja Badajoz
• Caja Canarias
• Caja Circulo
• Caja Granada
• Caja Laboral
• Caja Madrid
• Caja Murcia
• Caja Vital
• Caja de Avila
• Caja de Jaen
• Cajarioja
• Cajasol
• Chase
• Citibank
• Citizens
• Clavenet
• Clydesdale
• Co-Operativebank
• DAB
• E-Gold
• Ebay
• Fibanc Mediolanum
• Fifth Third
• First Direct
• Gruppo Carige
• HSBC
• Halifax
• IS Bank
• IW Bank
• Iside
• Lloyds
• National City
• Nationwide
• Natwest
• OSPM
• Openbank
• PayPal
• PosteItaliane
• Procredit
• Qui UBI
• RBS
• Rupay
• Sabadell Atlantico
• Santander
• Scrigno
• Secservizi
• Smile
• Suntrust
• TD Canada Trust
• US Bank
• Unicaja
• Uno-E
• Wachovia
• Washington Mutual
• Webmoney Keeper Light
• Wells Fargo
• Yandex
• Yorkshire

Drop Points

Stolen information is uploaded to the following websites:

• http://{BLOCKED}rt.com/zz/gate.php

Other Details

This spyware does the following:

• Adds the following registry entries to disable Internet Explorer:
  
• HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\PhishingFilter Enabled =0
• HKEY_CURRENT_USER\\Software\\Microsoft\\InternetExplorer\\PhishingFilter EnabledV8 =0
• Steals the following information:
• Personal Certificates (MY)
• FTP credentials for the following FTP applications:
• flashxp
• ghisler
• ipswitch
• filezilla
• ftpfar
• winscp
• ftpcommander
• coreftp
• smartftp
• Flashplayer data
• Internet session cookies

Variant Information

This spyware has the following MD5 hashes:

• f57801a602b3bc3dde5e80dc715741bb

It has the following SHA1 hashes:

• 7098a610f8efcead4d806bc5062ad114b703281b