TSPY_ZBOT.US

This spyware also has rootkit capabilities, which enables it to hide its processes and files from the user.

Infection Points

This spyware arrives as a file downloaded from the following URLs:

• http://www.{BLOCKED}ad.info/ldrzif2.exe

Installation

This spyware then creates the following non-malicious file(s):

• %System%\wsnpoem\audio.dll - used to save the gathered information
• %System%\wsnpoem\video.dll - copy of the encrypted downloaded file

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)

It injects itself into the following processes running in the affected system's memory:

• winlogon.exe
• svchost.exe

It creates the following folders with attributes set to System and Hidden to prevent users from discovering and removing its components:

• %System%\wsnpoem

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• __SYSTEM__91C38905__

Autostart Technique

This spyware modifies the following registry entry(ies) to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\ CurrentVersion\Winlogon
Userinit = %System%\Userinit.exe,%System%\ntos.exe,

(Note: The default value data of the said registry entry is "%System%\Userinit.exe,".)

Other System Modifications

This spyware also creates the following registry entry(ies) as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Network
UID = {computer name}_{random numbers}

Rootkit Capabilities

This spyware also has rootkit capabilities, which enables it to hide its processes and files from the user.

Information Theft

This spyware accesses the following site to download its configuration file:

• http://www.{BLOCKED}ad.info/cfgzif2.bin

Its configuration file contains the following information:

• URL to download an updated copy of itself
• URL to send stolen data
• list of targeted bank-related Web sites to monitor from which it steals information

Stolen Information

This spyware sends the gathered information via HTTP POST to the following URL:

• http://www.{BLOCKED}ad.info/z2/s.php

NOTES:

It checks for the presence of the following processes which, are related to Outpost Personal Firewall and ZoneLabs Firewall Client:

• outpost.exe
• zlclient.exe

It terminates if either of the said processes exist. This is to ensure that the spyware will run uninterrupted.

This configuration file also contains the following list of targeted bank-related Web sites to monitor from which it steals information:

• http://*myspace.com*
• *.ebay.com/*eBayISAPI.dll?*
• *//mail.yandex.ru/
• *//mail.yandex.ru/index.xml
• *//money.yandex.ru/
• *//money.yandex.ru/index.xml
• */my.ebay.com/*CurrentPage=MyeBayPersonalInfo*
• *banquepopulaire.fr/*
• *wellsfargo.com/*
• @*.bv-i.bancodevalencia.es/*
• @*banesnet.banesto.es
• @*caja-granada.es/cgi-bin/*
• @https://*.e-gold.com/*
• @https://*factor2*
• @https://*ingdirect.com.au/client/Login.aspx*
• @https://*westpac.com.au/esis/Login/SrvPage*
• @https://carnet.cajarioja.es/banca3/*
• @https://cuviewpoint.net/mvptartan/login.asp*
• @https://factor2b.inetbank.net.au/factor2da3/factor2login.jsp
• @https://intelvia.cajamurcia.es/cgi-bin/INclient_2043
• @https://lo2.lacaixa.es/*
• @https://mvp1.sccu.com.au/*/Login.asp
• @https://net.kutxa.net/jkn_opkn/*
• @https://netaccess2.qtcu.com.au/*/ntv45.asp?wci=entry
• @https://netbank.selectcu.com.au/*/login.asp*
• @https://netteller.resourcescu.com.au/*/ntv45.asp?WCI=entry
• @https://netteller.tsw.com.au/*/ntv45.asp?wci=entry
• @https://oi.cajamadrid.es/CajaMadrid/oi/pt_oi/Login/login
• @https://oie.cajamadridempresas.es/CajaMadrid/oie/pt_oie/Login/login_oie_1
• @https://www.ardil.bancogallego.es/servlet/*
• @https://www.caixanova.es/cgi-bin/INclient_*
• @https://www.caixatarragona.es/esp/sec_1/*
• @https://www.cajabadajoz.es/cgi-bin/INclient_6010
• @https://www.cajacanarias.es/cgi-bin/INclient_6065*
• @https://www.cajadeavila.es*
• @https://www.cajasur.es/cgi-bin/INclient_4024
• @https://www.cajavital.es/Appserver/*
• @https://www.ccm.es/cgi-bin/INclient_6105
• @https://www.clavenet.net/cgi-bin/*
• @https://www1.ibercajadirecto.com/ibercaja/asp/Login.asp
• @https://www2.bancopopular.es/Bpemotor
• @https://wwws.sanostra.es/cgi-bin/INclient_2051*
• http://*.osmp.ru/
• http://caixasabadell.net/banca2/tx0011/0011.jsp
• https://*bancaja.es/*
• https://*cajamar.es/BE/extern/htm/login.html*
• https://*citibank.ru/*Signon*
• https://*citibank.ru/RUGCB/JPS/portal/BusLocSwitch.*
• https://*ebgempresa.es/*
• https://*gruposantander.es/*
• https://*rbkmoney.ru/client/index.aspx*
• https://*westpac.com.au/wtwt/startpage*
• https://areasegura.banif.es/bog/bogbsn*
• https://banca.cajaen.es/Jaen/INclient.jsp
• https://bancaonline.openbank.es/servlet/PProxy?*
• https://banesnet.banesto.es/*/loginEmpresas.htm
• https://banking*.anz.com/*
• https://banking.*.de/cgi/ueberweisung.cgi/*
• https://brokerage.comdirect.de/servlet/*TAN*
• https://cardsonline-consumer.com/RBSG_Consumer/VerifyLogin.do
• https://carnet.cajarioja.es/banca3/tx0011/0011.jsp
• https://cipehb*.cdg.citibank.de/HomeBanking*?_D=WorkArea&*
• https://easyweb*.tdcanadatrust.com/servlet/*FinancialSummaryServlet*
• https://empresas.gruposantander.es/WebEmpresas/servlet/webempresas.servlets.*
• https://extranet.banesto.es/*/loginParticulares.htm
• https://extranet.banesto.es/npage/OtrosLogin/LoginIBanesto.htm
• https://finanzportal.fiducia.de/*?rzid=*&rzbk=*
• https://finanzportal.fiducia.de/ebanking*Action=*
• https://finanzportal.fiducia.de/ebbg2/portal?token=*
• https://hb.quiubi.it/newSSO/x11logon.htm
• https://home.cbonline.co.uk/login.html*
• https://home.ybonline.co.uk/login.html*
• https://home.ybonline.co.uk/ral/loginmgr/*
• https://home2ae.cd.citibank.ae/CappWebAppAE/producttwo/capp/action/signoncq.do
• https://ibank.barclays.co.uk/olb/x/LoginMember.do
• https://ibank.internationalbanking.barclays.com/logon/icebapplication*
• https://ibanking.banksa.com.au/InternetBanking/viewAccountPortfolio.do*
• https://ibanking.stgeorge.com.au/InternetBanking/viewAccountPortfolio.do*
• https://intelvia.cajamurcia.es/2043/entrada/01entradaencrip.htm
• https://internetbanking.aib.ie/hb1/roi/signon
• https://internetbanking.gad.de/*/portal?bankid=*
• https://internetbanking.gad.de/banking/*
• https://light.webmoney.ru/default.aspx
• https://lot-port.bcs.ru/names.nsf?#ogin*
• https://montevia.elmonte.es/cgi-bin/INclient_2098*
• https://net.kutxa.net/jkn_opkn/tmpl/es/loginkn.jsp*
• https://oi.cajamadrid.es/CajaMadrid/oi/pt_oi/Login/login
• https://oie.cajamadridempresas.es/CajaMadrid/oie/pt_oie/Login/login_oie_1
• https://olb2.nationet.com/MyAccounts/frame_MyAccounts_WP2.asp*
• https://olb2.nationet.com/signon/signon*
• https://online*.lloydstsb.co.uk/logon.ibc
• https://online-business.lloydstsb.co.uk/customer.ibc
• https://online-offshore.lloydstsb.com/customer.ibc
• https://online.wamu.com/Servicing/Servicing.aspx?targetPage=AccountSummary
• https://online.wellsfargo.com/das/cgi-bin/session.cgi*
• https://online.wellsfargo.com/login*
• https://online.wellsfargo.com/signon*
• https://onlinebanking#.wachovia.com/myAccounts.aspx?referrer=authService
• https://onlinebanking.nationalcity.com/OLB/secure/AccountList.aspx
• https://onlinebanking.norisbank.de/norisbank/*.do?method=*
• https://onlinebanking.norisbank.de/norisbank/login.do?method=login*
• https://onlineeast#.bankofamerica.com/cgi-bin/ias/*/GotoWelcome
• https://pastornetparticulares.bancopastor.es/SrPd*
• https://privati.internetbanking.bancaintesa.it/sm/login/IN/box_login.jsp
• https://probanking.procreditbank.bg/main/main.asp*
• https://resources.chase.com/MyAccounts.aspx
• https://rupay.com/index.php
• https://scrigno.popso.it*
• https://web.da-us.citibank.com/*BS_Id=MemberHomepage*
• https://web.da-us.citibank.com/cgi-bin/citifi/portal/l/autherror.do*
• https://web.da-us.citibank.com/cgi-bin/citifi/portal/l/l.do
• https://web.secservizi.it/siteminderagent/forms/login.fcc
• https://welcome23.smile.co.uk/SmileWeb/start.do
• https://welcome27.co-operativebank.co.uk/CBIBSWeb/start.do
• https://www#.citizensbankonline.com/*/index-wait.jsp
• https://www#.usbank.com/internetBanking/LoginRouter
• https://www*.banking.first-direct.com/1/2/*
• https://www.53.com/servlet/efsonline/index.html*
• https://www.bancajaproximaempresas.com/ControlEmpresas*
• https://www.bancoherrero.com/es/*
• https://www.bbvanetoffice.com/local_bdno/login_bbvanetoffice.html
• https://www.bgnetplus.com/niloinet/login.jsp
• https://www.caixagirona.es/cgi-bin/INclient_2030*
• https://www.caixalaietana.es/cgi-bin/INclient_2042
• https://www.caixaontinyent.es/cgi-bin/INclient_2045
• https://www.caixatarragona.es/esp/sec_1/oficinacodigo.jsp
• https://www.caja-granada.es/cgi-bin/INclient_2031
• https://www.cajabadajoz.es/cgi-bin/INclient_6010*
• https://www.cajacanarias.es/cgi-bin/INclient_6065
• https://www.cajacirculo.es/ISMC/Circulo/acceso.jsp
• https://www.cajadeavila.es/cgi-bin/INclient_6094
• https://www.cajalaboral.com/home/acceso.asp
• https://www.cajasoldirecto.es/2106/*
• https://www.cajavital.es/Appserver/vitalnet*
• https://www.ccm.es/cgi-bin/INclient_6105
• https://www.citibank.de*
• https://www.clavenet.net/cgi-bin/INclient_7054
• https://www.dab-bank.com*
• https://www.dresdner-privat.de/servlet/*
• https://www.e-gold.com/acct/balance.asp*
• https://www.e-gold.com/acct/li.asp
• https://www.ebank.hsbc.co.uk/main/IBLogon.jsp
• https://www.fibancmediolanum.es/BasePage.aspx*
• https://www.gbw2.it/cbl/jspPages/form_login_AV.jsp*
• https://www.gruposantander.es/bog/sbi*?ptns=acceso*
• https://www.gruppocarige.it/grps/vbank/jsp/login.jsp
• https://www.halifax-online.co.uk/_mem_bin/*
• https://www.halifax-online.co.uk/_mem_bin/formslogin.asp*
• https://www.halifax-online.co.uk/MyAccounts/MyAccounts.aspx*
• https://www.hsbc.co.uk/1/2/*
• https://www.in-biz.it*
• https://www.isbank.com.tr/Internet/ControlLoader.aspx*
• https://www.iwbank.it/private/index_pub.jhtml*
• https://www.mybank.alliance-leicester.co.uk/login/*
• https://www.nwolb.com/Login.asp*
• https://www.nwolb.com/Login.aspx*
• https://www.paypal.com/*/webscr?cmd=_account
• https://www.paypal.com/*/webscr?cmd=_login-done*
• https://www.rbsdigital.com/Login.asp*
• https://www.sabadellatlantico.com/es/*
• https://www.suntrust.com/portal/server.pt*parentname=Login*
• https://www.unicaja.es/PortalServlet*
• https://www.uno-e.com/local_bdnt_unoe/Login_unoe2.html
• https://www.us.hsbc.com/*
• https://www.vr-networld-ebanking.de/ebanking*Action=*
• https://www.vr-networld-ebanking.de/index.php?RZKZ=*&RZBK=*
• https://www.wellsfargo.com/*
• https://www2.bancopopular.es/AppBPE/servlet/servin*
• https://www3.netbank.commbank.com.au/netbank/bankmain*

Note that the contents of the file, hence the list of Web sites to monitor, may change any time. Once users access any of the monitored sites, this spyware starts logging keystrokes.

This Spyware attempts to retrieve information from the following list of banking institutions:

• AIB
• Alliance & Leicester
• ANZ
• Banca Intesa
• Bancaja
• Banco Herrero
• Banco Pastor
• Banco Popular
• Banesto
• Banif
• Bank of America
• Banque Populaire
• Barclays
• BBVA
• BG Net Plus
• BrokerCreditService
• Caixa Girona
• Caixa Laietana
• Caixa Ontinyent
• Caixa Sabadell
• Caixa Tarragona
• Caja Badajoz
• Caja Canarias
• Caja Circulo
• Caja de Avila
• Caja de Jaen
• Caja Granada
• Caja Laboral
• Caja Madrid
• Caja Murcia
• Caja Vital
• Cajarioja
• Cajasol
• CCM
• Chase
• Citibank
• Citizens
• Clavenet
• Clydesdale
• Co-Operativebank
• Comdirect
• DAB
• Dresdner
• E-Gold
• Ebay
• Fibanc Mediolanum
• Fiducia
• Fifth Third
• First Direct
• GAD
• Gruppo Carige
• Halifax
• HSBC
• IS Bank
• IW Bank
• Kutxanet
• Lloyds
• National City
• Nationwide
• Natwest
• Openbank
• OSPM
• PayPal
• Procredit
• Qui UBI
• Raiffeisen
• RBS
• Rupay
• Sabadell Atlantico
• Santander
• Scrigno
• Secservizi
• Smile
• Suntrust
• TD Canada Trust
• Unicaja
• Uno-E
• US Bank
• Volksbanken Raiffeisenbanken
• Wachovia
• Washington Mutual
• Webmoney Keeper Light
• Wells Fargo
• Yandex
• Yorkshire

Note that the list may change anytime.