TSPY_ZBOT.YUNCR
PWS:Win32/Zbot (Microsoft), Win32/Spy.Zbot.AAU trojan (ESET), Trojan.Zbot (Symantec)
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Spyware
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
438,272 bytes
EXE
19 Mar 2014
Arrival Details
This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This spyware drops the following files:
- %System%\drivers\{random}.sys
- %Application Data%\Microsoft\Address Book\{username}.wab
(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)
Other System Modifications
This spyware adds the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{random}
It adds the following registry entries:
HKEY_CURRENT_USER
{random} = {random}
HKEY_CURRENT_USER\Software\Microsoft\
WAB\WAB4
OlkContactRefresh = "0"
HKEY_CURRENT_USER\Software\Microsoft\
WAB\WAB4
OlkFolderRefresh = "0"
HKEY_CURRENT_USER\Software\Microsoft\
WAB\WAB4\Wab File Name
@ = "%Application Data%\Microsoft\Address Book\{username.wab}"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
@ =
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%Windows%\explorer.exe = "%Windows%\explorer.exe:*:Enabled:Windows Explorer"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\GloballyOpenPorts\
List
3169:UDP = "3169:UDP:*:Enabled:UDP 3169"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\GloballyOpenPorts\
List
1711:TCP = "1711:TCP:*:Enabled:TCP 1711"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_{random}
NextInstance = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_{random}\
0000
Service = "{random}"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_{random}\
0000
Legacy = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_{random}\
0000
ConfigFlags = "0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_{random}\
0000
Class = "LegacyDriver"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_{random}\
0000
ClassGUID = "{GUID}"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_{random}\
0000
DeviceDesc = {malware name}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_{random}\
0000\Control
*NewlyCreated* = "0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_{random}\
0000\Control
ActiveService = "{random}"
Other Details
This spyware connects to the following URL(s) to check for an Internet connection:
- http://www.google.com
- http://www.bing.com
It connects to the following possibly malicious URL:
- http://{random generated URL}