TROJ_ZLOB.FZO

TROJ_ZLOB.FZO can retrieve stored user names and passwords. If successful, the information is send to a specific site, making the network vulnerable to remote attacks.

This Trojan changes the DNS settings of the affected system. As a result, connections from the affected system passes through the attacker's system and enables the attacker to control and monitor communications.

It also monitors Internet browsers to observe search engines. Search results are intercepted by the malware. After a timeout of 10 seconds, the malware changes the search results and redirects users to a random page.

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It uses Windows Task Scheduler to create a scheduled task that executes the dropped copy.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following copies of itself into the affected system:

• %Application Data%\{random}.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.)

It uses Windows Task Scheduler to create a scheduled task that executes the dropped copy.

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• Global\{random}

It injects codes into the following process(es):

• spoolsv.exe
• explorer.exe

Autostart Technique

The scheduled task executes the malware every:

• At User Login

Other System Modifications

This Trojan adds the following registry entries as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
UacDisableNotify = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
EnableLUA = "0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile\AuthorizedApplications\
List
%System%\spoolsv.exe = "%System%\spoolsv.exe:*:Enabled:spoolsv.exe"

It modifies the following registry key(s)/entry(ies) as part of its installation routine:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
NameServer = "{BLOCKED}.162.160,{BLOCKED}.166.191 "

(Note: The default value data of the said registry entry is {user defined}.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
DhcpNameServer = "{BLOCKED}.162.160,{BLOCKED}.166.191 "

(Note: The default value data of the said registry entry is {user defined}.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters\
Interfaces\{CLSID}
DhcpNameServer = "{BLOCKED}.162.160,{BLOCKED}.166.191 "

(Note: The default value data of the said registry entry is {user defined}.)

Dropping Routine

This Trojan drops the following files:

• %System%\ernel32.dll - detected as TROJ_TDSS.SMET
• %System%\spool\prtprocs\w32x86\{random}.dll - detected as TROJ_TDSS.SMET

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Download Routine

This Trojan downloads an updated copy of itself from the following website(s):

• http://{BLOCKED}lume.com/kx.php

NOTES:

It terminates the processes related to the following:

• WinDefend
• DisableAntiSpyware
• Windows Defender

It uses Simple Object Access Protocol (SOAP) to find the network routers and get the following information:

• manufacturer
• modelName
• modelNumber
• controlURL

It accesses the control URL of the router depending on the discovered UPnP device:

• http://{control URL}/index.asp
• http://{control URL}/dlink/hwiz.html
• http://{control URL}/home.asp
• http://{control URL}/wizard.htm
• http://{control URL}/login.asp

It uses brute force to access the routers using the following strings:

[Username]

• admin
• {blank}
• root
• Admin
• 1234

[Password]

• Password
• pass
• password
• root
• router
• admin
• administrator
• {blank}
• 0
• 0P3N
• 1234
• 12345
• 123456
• a
• a6a7wimax
• adslnadam
• adslroot
• airlive
• alice
• atlantis
• bewan
• cableroot
• cciadmin
• conexant
• ecom
• epicrouter
• friend
• hamlet
• hayesadsl
• highspeed
• hsparouter
• motorola
• mysweex
• password1
• sitecom46
• sky
• smcadmin
• stccpe_2007
• telekom
• telus
• telus177
• tmadmin
• trendchip
• ttnet
• utstar
• vodafone
• zoomadsl

It can also retrieve stored user names and passwords in by using the CredEnumerateA function and GID abe2869f-9b47-4cd9-a358-c22904dba7f7. If successful, the malware adds an open port and retrieve the external IP address of the router. The information is send to the following site, making the network is vulnerable to remote attacks:

• http://{BLOCKED}0.26/bsfd.php

In addition to opening a port in the router, it also changes the DNS settings of the affected system to the following:

• Preferred DNS Server: {BLOCKED}.243.170
• Alternate DNS Server: {BLOCKED}.255.255

As a result, connections from the affected system passes through the attacker's system and enables the attacker to control and monitor communications.

It also monitors Internet browsers to observe search engines. Search results are intercepted by the malware. After a timeout of 10 seconds, the malware changes the search results and redirect users to a random page. It monitors the following browsers:

• iexplore.exe
• firefox.exe
• safari.exe
• opera.exe

It monitors the following search engines:

• .google.
• search.yahoo.
• search.msn.
• search.live.
• altavista.com
• ask.com
• search.aol.
• saerch.aol.
• search.icq.
• alltheweb.com
• bing.com
• yandex.ru
• rambler.ru
• go.mail.ru
• sm.aport.ru

It monitors the following URL strings:

• .youtube.
• .wikipedia.
• .yahoo.
• rds.yahoo.
• overture.
• .yimg.com
• wikimedia.
• amazon.com
• hotmail.
• .msn.com
• .live.com
• microsoft.
• altavista.
• atdmt.com
• wzus1.ask.
• /i/i.gif?
• opselect.com
• aolcdn
• aolsearch
• .aol.
• revsci.net
• atwola.
• digitalcity.
• .icq.
• o.aolcdn.com
• alltheweb.
• bing.
• .yandex.
• tns-counter.
• .rambler.
• .rl0.ru
• .begun.
• list.ru
• .mail.ru
• z5x.net
• imgsmail.ru
• .aport.
• yadro.ru
• .ag.ru