TSPY_KROWS.A
Mal/EncPk-AEH (Sophos), W32/Zbot.RO!tr (Fortinet), W32/Worm.BLJZ (exact) (FProt), Trojan-Spy.Win32.Zbot (Ikarus), PWS:Win32/Zbot.gen!Y (Microsoft), Win32/Spy.Zbot.YW trojan (NOD32), Trojan.Gen (Norton), Trojan.Win32.Generic!BT (Sunbelt), Trojan.Agent.AWKG (Bitdefender)
Windows 2000, Windows XP,Windows Server 2003
Threat Type: Spyware
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This spyware arrives as a file that exports the functions of other malware/grayware. It may arrive bundled with malware packages as a malware component. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
Arrival Details
This spyware arrives as a file that exports the functions of other malware/grayware.
It may arrive bundled with malware packages as a malware component.
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Other System Modifications
This spyware deletes the following files:
- %System%\localsp1.dll
- %System%\msxml4r.dll
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
It modifies the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\Lsa
forceguest = "0"
(Note: The default value data of the said registry entry is 1.)
Other Details
This spyware opens the following files:
- %System%\msxml0r.ini
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
NOTES:
It copies %System%\cmd.exe and renames it to %System%\mmc32.exe. It then uses the copy to execute commands such as adding registries, setting the firewall, etc.