TSPY_ZBOT.BYY

It may be dropped by other malware.
It may be unknowingly downloaded by a user while visiting malicious websites.
It adds registry entries to enable its automatic execution at every system startup.
It attempts to steal information, such as user names and passwords, used when logging into certain banking or finance-related websites.
It attempts to steal sensitive online banking information, such as user names and passwords. This routine risks the exposure of the user's account information, which may then lead to the unauthorized use of the stolen data.
It creates folders where it drops its files.
It may be injected into processes running in memory.
It modifies the Internet Explorer Zone Settings.

Arrival Details

It may be dropped by other malware.

It may be unknowingly downloaded by a user while visiting malicious websites.

Autostart Technique

It adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
{GUID}={malware path and file name}

Drop Points

Stolen information is uploaded to the following websites:

• http://{BLOCKED}.215.101/sas/ttf.php

Infection Points

It may be downloaded from the following remote sites:

• http://{BLOCKED}9.13.206/uk2/kl/uk-kl.exe

Information Theft

It accesses the following site to download its configuration file:

• http://{BLOCKED}9.13.206/uk2/kl/ukdase.db

The downloaded file contains information where the malware can download an updated copy of itself, and where to send its stolen data.

It attempts to steal information from the following banks and/or other financial institutions:

• Alliance & Leicester

• Barclays

• Cahoot

• Capital One

• Citibank

• Clydesdale

• Co-Operativebank

• Ebay

• Facebook

• First Direct

• HSBC

• Halifax

• ING Direct

• Lloyds

• Microsoft

• Moneybookers

• Myspace

• Nationwide

• Natwest

• OSPM

• Odnoklassniki

• PayPal

• RBS

• Santander

• Smile

• Vkontakte

• Yorkshire

It monitors the Internet Explorer (IE) activities of the affected system, specifically the address bar or title bar. It recreates a legitimate Web site with a spoofed login page if a user visits banking sites with the following strings in the address bar or title bar:

• !*.microsoft.com/*

• !http://*myspace.com*

• https://www.gruposantander.es/*

• !http://*odnoklassniki.ru/*

• !http://vkontakte.ru/*

• @*/login.osmp.ru/*

• @*/atl.osmp.ru/*

• *login.yahoo.com*

• *login.live.com*

• http://www.facebook.com/index.ph*

• https://www.hsbc.co.uk/1/2/*

• https://www.hsbc.co.uk/1/2/personal/internet-banking/transfer*

• *.hsbc.co.uk/1/2/personal/internet-banking/payments*

• *.hsbc.co.uk/1/2/!ut/p/kcxml*QS_cmd_NewThirdPartyPaymentCommand*

• *.hsbc.co.uk/1/2/personal/internet-banking/payment*

• https://www.hsbc.co.uk/1/2/personal/internet-banking/transfer*

• *.hsbc.co.uk/1/2/personal/internet-banking/recent-transactio*

• *.hsbc.co.uk/1/2/personal/internet-banking/recent-transactio*

• https://www.hsbc.co.uk/1/2/!ut/p/kcxml/*

• *.hsbc.co.uk/1/2/*

• *.hsbc.co.uk/1/2/*idv.CustomerMigration

• https://www.hsbc.co.uk/1/2*

• *www.hsbc.co.uk/1/2/!ut/p/kcxml*

• *.hsbc.co.uk/1/2/personal*

• https://www.hsbc.co.uk/1/2/!ut/p/kcxml/*cmd_InitialThirdPartyPaymentCommand=*

• https://myonlineaccounts*.abbeynational.co.uk/CentralLogonWeb/MyPersonalHomepage*

• https://service.oneaccount.com/*/OSV2?event=login&pt=3

• https://www.365online.com/servlet/Dispatcher/login.htm

• https://www.365online.com/servlet/Dispatcher/login2.htm

• https://www.365online.com/servlet/Dispatcher/validate.htm

• *coventrybuildingsociety.co.uk*

• https://www.accessmycardonline.com/RBS_Consumer/*

• https://www.nochex.com/*

• */CapitalOne_Consumer/*

• https://www.bankcardservices.co.uk/NASApp/NetAccessXX/*

• https://my.if.com/_mem_bin/formslogin.asp*

• https://olb2.nationet.com/MyAccounts/*

• https://cardsonline-consumer.com/RBSG_Consumer/*

• https://online-offshore.lloydstsb.com/*

• https://onlinebanking.firsttrustbank.co.uk/*

• https://secure.ingdirect.co.uk/InitialINGDirect.html*

• https://database.acornmediauk.com/*

• https://uk.virginmoney.com/virgin/service/credit-card/*

• *npbs.co.uk*

• https://*ulsterbankanytimebanking.*/login.aspx*

• https://service.oneaccount.com/onlineV2/*viewPortal*

• https://secure.natweststockbrokers.co.uk/nws-secure2/*

• https://www.caterallenonline.co.uk/WebAccess.dll

• https://myonlineaccounts3.abbeynational.co.uk/GPCC_ENS/BtoChannelDriver.ssobto*

• https://www.edirectdebit.com/administration/client/logon.aspx

• *commissioncontrol.net*

• *tuxedomoney.com*

• https://www.cardonebanking.com/auth*

• https://*abbeynational.co.uk*

• http*://*alliance-leicester.co.uk*

• http*://*cbonline.co.uk*

• http*://*co-operativebank.co.uk*

• http*://*lloydstsb.co.uk*

• http*://*smile.co.uk*

• http*://*ybonline.co.uk*

• https://www.paypal.com/*/cgi-bin/webscr?cmd=_account*

• https://www.paypal.com/*/webscr?cmd=_login-done*

• https://www.paypal.com/*/cgi-bin/webscr?cmd=*_account*

• https://www.paypal.com/*/cgi-bin/webscr?cmd=_login-done*

• https://www.citibank.co.uk/*/signon/uname/HomePage*

• https://www.citibank.co.uk/*/portal/Index*

• */my.ebay.*/*CurrentPage=MyeBayPersonalInfo*

• */my.ebay.*/*

• *.ebay.*/*eBayISAPI.dll?*

• *.ebay.*/*eBayISAPI.dll?*

• *.ebay.*/*eBayISAPI.dll?*

• *.ebay.*/*eBayISAPI.dll?*

• *.ebay.*/*eBayISAPI.dll?*

• *.ebay.*/*eBayISAPI.dll?*

• *.ebay.*/*eBayISAPI.dll?*

• *.ebay.*/*eBayISAPI.dll?*

• *.ebay.*/*eBayISAPI.dll?*

• https://www.icicibank.co.uk/UKRET/BANKAWAY*

• *.partnerandaffinitycards.co.uk/servicing/Logon.aspx?*

• https://www.bankcardservices.co.uk/NASApp/NetAccessXX/AccountSnapshotScreen?acctID*

• https://your.egg.com/customer/yourmoney.aspx

• https://your.egg.com/customer/personaldetails/yourinformation.aspx

• https://www.capitaloneonline.co.uk/*

• https://*.banking.first-direct.com/1/2/balances*

• https://secure.ingdirect.co.uk/INGDirect.html?command=displayClientAccountSummary*

• https://olb2.nationet.com*

• https://www.moneybookers.com/app/my_account.pl

• https://www.365online.com/servlet/Dispatcher/*

• https://ibank.cahoot.com/*

• https://service.oneaccount.com/onlineV2/*

• https://my.if.com/PlanReviewAct/plan.asp*

• https://my.if.com/*

• https://www*.banking.first-direct.com/1/2/*

• https://www*.banking.first-direct.com/1/2/*

• https://www*.banking.first-direct.com/1/2/*

• https://*ibank.internationalbanking.barclays.com/*

• https://ibank.internationalbanking.barclays.com/logon*

• https://*ulsterbankanytimebanking.co.uk/*

• https://home.cbonline.co.uk/ralu/loginmgr/partialPassword.ctl*

• https://home.cbonline.co.uk/ralu/loginmgr/loginSetup.ctl*

• https://home.ybonline.co.uk/ralu/loginmgr/partialPassword.ctl*

• https://home.ybonline.co.uk/ralu/loginmgr/loginSetup.ctl*

• https://welcome27.co-operativebank.co.uk/CBIBSWeb/*

• https://welcome27.co-operativebank.co.uk/CBIBSWeb/passcode.do

• https://welcome23.smile.co.uk/SmileWeb/*

• https://welcome23.smile.co.uk/SmileWeb/passcode.do

• *mybank.alliance-leicester.co.uk*

• *mybank.alliance-leicester.co.uk/view_accounts/VA*

• *mybank.alliance-leicester.co.uk/move_money/*MM*.asp*

• *mybank.alliance-leicester.co.uk/your_payees/YP1point1a.asp*

• https://online-business.lloydstsb.co.uk/customer.ibc*

• https://online-business.lloydstsb.co.uk/logon.ibc

• https://online-business.lloydstsb.co.uk/miheld.ibc

• https://www.mybusinessbank.co.uk/cs70_banking/*

• https://www.mybusinessbank.co.uk/cs70_banking/logon/logon/pmPassword

• https://www.mybusinessbank.co.uk/cs70_banking/logon*

• https://www.mybusinessbank.co.uk/cs70_banking/logon/sbuser/getPassword

• https://www.mybusinessbank.co.uk/cs70_banking/logon/logon/enrollPassword

• https://www.mybusinessbank.co.uk/cs70_banking/logon/logon/password

• https://www.mybusinessbank.co.uk/cs70_banking/logon/challenge/submit

• https://www.barclayswealth.com/login/action/logon/unauthenticated/personal/loginDetailsNotStored

• https://www.barclayswealth.com/login/action/logon/unauthenticated/personal/loginSigning

• https://www.bankline.coutts.com/CWSLogon/4P/CheckId.do

• https://www.bankline.coutts.com/CWSLogon/4P/CheckPPPP.do

• https://www.bankline.coutts.com/CWSLogon/*

• https://welcome10.co-operativebankonline.co.uk/*security?*

• https://ibank.cahoot.*/servlet/com.aquarius.security.authentication.servlet.LogonServlet*

• https://cardservicing.tescofinance.com/RBSG_Consumer/UserLogin.do*

• https://cardservicing.tescofinance.com/RBSG_Consumer/VerifyLogin.do*

• https://online.islamic-bank.com/online/aspscripts/secret*.asp*

• https://online.ybs.co.uk/public/authentication/login2.do*

• https://home.ybonline.co.uk/ralu/loginmgr/partialPassword.ctl

• https://home.ybonline.co.uk/ralu/loginmgr/loginQuestion.ctl

• https://home.cbonline.co.uk/ralu/loginmgr/partialPassword.ctl

• https://home.cbonline.co.uk/ralu/loginmgr/loginQuestion.ctl

• https://www.business.hsbc.co.uk/1/2/online-services/accounts/account-list*

• https://www.business.hsbc.co.uk/1/2/!ut/p/kcxml/04_Sj9SPykssy*

• http://www.business.hsbc.co.uk/1/2/bib/personal

• https://www.business.hsbc.co.uk/1/2/*dv_cmd=idv.Authenticat*

• https://ibank.barclays.co.uk/*

• https://ibank.barclays.co.uk/olb/*/Statement*

• https://ibank.barclays.co.uk/olb/*/PersonalFinancialSummary.do?action=*

• https://ibank.barclays.co.uk/olb/*/LoginTFA.do

• https://ibank.barclays.co.uk/olb/*/SelectPaymentAccount.do?action=New+Payment||Pay+Someone

• https://ibank.barclays.co.uk/olb/*/SelectPaymentAccount.do

• https://ibank.barclays.co.uk/olb/*/NewPayee.do

• https://ibank.barclays.co.uk/olb/*/PayBill2.do

• https://ibank.barclays.co.uk/olb/*/PayBill3.do

• https://ibank.barclays.co.uk/olb/*/PayBill3a.do

• https://ibank.barclays.co.uk/olb/*/NewPaymentSuccess.do

• *.banking.firstdirect.com*idv_cmd=idv.Authentication

• *.banking.firstdirect.com/1/2/!ut/p/kcxml/04_Sj9SPykssy*

• *.banking.firstdirect.com/1/2/!ut/p/kcxml/*

• *rbsdigital.com/login.aspx*

• *rbsdigital.com/AccountSummary.aspx

• *nwolb.com/login.aspx*

• *nwolb.com/AccountSummary.aspx

• https://welcome27.co-operativebank.co.uk/CBIBSWeb/loginSpi.do

• https://welcome27.co-operativebank.co.uk/CBIBSWeb/loginSpi.do

• https://welcome27.co-operativebank.co.uk/CBIBSWeb/fundsTransferSummaryPrepare.do*

• https://welcome27.co-operativebank.co.uk/CBIBSWeb/fundsTransferCreatePrepare.do*

• https://welcome27.co-operativebank.co.uk/CBIBSWeb/passcode.do

• https://www.bankline.rbs.com/CWSLogon/logon.do*

• https://www.bankline.rbs.com/CWSLogon/4P/CheckId.do*

• https://www.bankofscotlandhalifax-online.co.uk/CustomerAuthentication/*

• https://*.bankofscotlandhalifax-online.co.uk/*

• https://www.halifax-online.co.uk/CustomerAuthentication/*

• https://*.halifax-online.co.uk/*

• https://secure.lloydstsb.co.uk/personal/*

• https://online.lloydstsb.co.uk/logon.ibc

• https://secure.lloydstsb.co.uk/personal/*/logon/*ntermemorableinformation.jsp

• https://secure.lloydstsb.co.uk/personal/a/account_details/*

• https://secure.lloydstsb.co.uk/personal/a/viewproductdetails/ViewProductDetails.jsp?pnlTabpane=2&al=

• https://online-business.lloydstsb.co.uk/standingorder.ibc*

• https://online-business.lloydstsb.co.uk/actionaccount.ibc*SelectAction=standingorder.ibc

It attempts to steal sensitive online banking information, such as user names and passwords. This routine risks the exposure of the user's account information, which may then lead to the unauthorized use of the stolen data.

Installation

It drops the following files:

• %Application Data%\{random1}\{random}.exe - copy of itself

• %Application Data%\{random2}\{random}.{3 random alpha character extension name} - encrypted file

It may be injected into processes running in memory.

It is injected into the following processes running in memory:

• ctfmon.exe

• dwm.exe

• explorer.exe

• rdpclip.exe

• taskeng.exe

• taskhost.exe

• wscntfy.exe

Other System Modifications

It adds the following registry entries as part of its installation routine:

HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerPrivacy
CleanCookies=0

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList
%Windows%EXPLORER.EXE=%Windows%EXPLORER.EXE:*:Enabled:Windows Explorer

Variant Information

It has the following MD5 hashes:

• 680063f9a7b3c8dd8440ec0a6dc316af

It has the following SHA1 hashes:

• afb58dc7dd6445026a648257616195374a9c44ab

Web Browser Home Page and Search Page Modification

It modifies the Internet Explorer Zone Settings.