TSPY_ZBOT.KXV

This spyware arrives as an attachment to email messages spammed by other malware/grayware or malicious users. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes then deletes itself afterward. It is injected into all running processes to remain memory resident.

It does not have any propagation routine.

It opens random ports.

It modifies the Internet Explorer Zone Settings.

It accesses websites to download files. This action allows this malware to possibly add other malware on the affected computer. It executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

It attempts to steal sensitive online banking information, such as user names and passwords. This routine risks the exposure of the user's account information, which may then lead to the unauthorized use of the stolen data.

However, as of this writing, the said sites are inaccessible.

Arrival Details

This spyware arrives as an attachment to email messages spammed by other malware/grayware or malicious users.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This spyware drops the following copies of itself into the affected system:

• %User Profile%\Application Data\{random folder name 1}\{random file name}.exe

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

It drops the following files:

• %User Profile%\Application Data\{random folder name 2}\{random file name 2}.{3 random alphabetic character extension name} - encrypted data

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

It creates the following folders:

• %User Temp%\tmp{random}
• %User Profile%\Application Data\{random folder name 1}
• %User Profile%\Application Data\{random folder name 2}

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

It executes then deletes itself afterward.

It is injected into all running processes to remain memory resident.

Autostart Technique

This spyware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{GUID} = "%User Profile%\Application Data\{random folder name 1}\{random file name}.exe"

Other System Modifications

This spyware adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Privacy
CleanCookies = "0"

It adds the following registry keys as part of its installation routine:

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Privacy

HKEY_CURRENT_USER\Software\Microsoft\
{random}

It creates the following registry entry(ies) to bypass Windows Firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%Windows%\EXPLORER.EXE = "%Windows%\EXPLORER.EXE:*:Enabled:Windows Explorer"

Propagation

This spyware does not have any propagation routine.

Backdoor Routine

This spyware opens a random port to allow a remote user to connect to the affected system. Once a successful connection is established, the remote user executes commands on the affected system.

Process Termination

This spyware terminates the following services if found on the affected system:

• wuauserv - Windows Update AutoUpdate Service
• wscsvc - Windows Security Center Service

Web Browser Home Page and Search Page Modification

This spyware modifies the Internet Explorer Zone Settings.

Download Routine

This spyware accesses websites to download the following files:

• http://{BLOCKED}k.nl/foto/{2 random letters}.exe

It saves the files it downloads using the following names:

• %User Temp%\tmp{random}\{2 random letter}.exe -detected as TROJ_INJECTR.KD

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

It then executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

Information Theft

This spyware attempts to steal sensitive online banking information, such as user names and passwords. This routine risks the exposure of the user's account information, which may then lead to the unauthorized use of the stolen data.

It accesses the following site to download its configuration file:

• http://{BLOCKED}ion.ru/square.php

Other Details

However, as of this writing, the said sites are inaccessible.

NOTES:

It does not have rootkit capabilities.

It does not exploit any vulnerability.