TSPY_ZBOT.POG
W32/Zbot.EQPB!tr (Fortinet), PWS:Win32/Zbot (Microsoft), a variant of Win32/Kryptik.ALRH trojan (NOD32)
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Spyware
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
This file contains a URL where it connects to possibly download other files.
TECHNICAL DETAILS
Varies
EXE
16 Sep 2012
Arrival Details
This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This spyware drops the following files:
- %Application Data%\{random letters 1}\{random letters}.exe - copy of itself
- %Application Data%\{random letters 2}\{random letters}.{random letters} - encrypted file
- %Application Data%\Microsoft\Address Book\test.wab~
- %Application Data%\Microsoft\Address Book\test.wab
- %User Temp%\TMP{random}.bat
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)
It creates the following folders:
- %Application Data%\{random letters 1}
- %Application Data%\{random letters 2}
- %Application Data%\{random letters 3}
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.)
Autostart Technique
This spyware adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random letters} = "%Application Data%\{random letters 1}\{random letters}.exe"
Other System Modifications
This spyware adds the following registry entries as part of its installation routine:
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Privacy
"CleanCookies" = "0"
HKEY_CURRENT_USER\Software\Microsoft\
{random}
{random} =
HKEY_CURRENT_USER\Software\Microsoft\
WAB\WAB4\Wab File Name
(Default) = "%Application Data%\Microsoft\Address Book\test.wab"
HKEY_CURRENT_USER\Software\Microsoft\
WAB\WAB4
"OlkContactRefresh" = "0"
HKEY_CURRENT_USER\Software\Microsoft\
WAB\WAB4
"OlkFolderRefresh" = "0"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts
"ConnectionSettingsMigrated" = "1"
It modifies the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\0
"1609" = "0"
(Note: The default value data of the said registry entry is "1".)
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\1
"1609" = "0"
(Note: The default value data of the said registry entry is "1".)
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\2
"1609" = "0"
(Note: The default value data of the said registry entry is "1".)
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\3
"1609" = "0"
(Note: The default value data of the said registry entry is "1".)
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\4
"1609" = "0"
(Note: The default value data of the said registry entry is "1".)
HKEY_CURRENT_USER\Identities
"Identity Ordinal" = "2"
(Note: The default value data of the said registry entry is "1".)
Other Details
This file contains a URL where it connects to possibly download other files. As of this writing, this file contains the following URLs:
- {BLOCKED}0.{BLOCKED}9.55.1