TSPY_ZBOT.KHS

October 09, 2012
 Analysis by: Jasen Sumalapao
 ALIASES:

PWS:Win32/Zbot (Microsoft), Trojan-Spy.Win32.Zbot.ektc (Kaspersky), Trojan.Gen (Symantec), Generic PWS.y!1hz (NAI), Mal/NecursDrp-A (Sophos), Trojan.Win32.Generic!BT (Sunbelt), TR/Crypt.ZPACK.Gen8 (Antivir), Gen:Variant.Kazy.84423 (Bitdefender), W32/Zbot.EKTC!tr (Fortinet), Trojan-Spy.Win32.Zbot (Ikarus), Win32/Spy.Zbot.AAO trojan (NOD32), TrojanSpy.Zbot.ektc (VBA32)

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 REPORTED INFECTION:
 SYSTEM IMPACT RATING:
 INFORMATION EXPOSURE:

  • Threat Type: Spyware

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It creates folders where it drops its files.

It modifies the Internet Explorer Zone Settings.

  TECHNICAL DETAILS

File Size:

200,192 bytes

File Type:

EXE

Initial Samples Received Date:

14 Aug 2012

Arrival Details

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This spyware drops the following component file(s):

  • %User Profile%\Application Data\{random folder 1}\{random filename}.exe - detected as TSPY_ZBOT.KHS
  • %User Profile%\Application Data\{random folder 2}\{random filename and extension}
  • %User Profile%\Application Data\{random folder 3}\{random filename and extension}

(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

It creates the following folders:

  • %User Profile%\Application Data\{random folder 1}
  • %User Profile%\Application Data\{random folder 2}
  • %User Profile%\Application Data\{random folder 3}

(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

Autostart Technique

This spyware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random characters} = %User Profile%\Application Data\{random folder 1}\{random filename}.exe

Other System Modifications

This spyware creates the following registry entry(ies) to bypass Windows Firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%WINDOWS%\explorer.exe = %WINDOWS%\explorer.exe:*:Enabled:Windows Explorer

Web Browser Home Page and Search Page Modification

This spyware modifies the Internet Explorer Zone Settings.

Download Routine

This spyware connects to the following URL(s) to download its component file(s):

  • {BLOCKED}elnikov31.{BLOCKED}2.ru