TSPY_ZBOT.ABTE
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Spyware
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It deletes the initially executed copy of itself.
TECHNICAL DETAILS
Arrival Details
This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This spyware drops the following copies of itself into the affected system:
- %Application Data%\{random folder name}\{random file name1}.exe
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)
It creates the following folders:
- %Application Data%\{random folder name}
- %Application Data%\Microsoft\Address Book
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)
It adds the following mutexes to ensure that only one of its copies runs at any one time:
- Global\{GUID}
It stays memory-resident by creating remote threads:
- %Windows%\explorer.exe
(Note: %Windows% is the Windows folder, which is usually C:\Windows.)
Autostart Technique
This spyware adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{GUID} = "%Application Data%\{random folder name}\{random file name1}.exe"
Other System Modifications
This spyware adds the following registry keys:
HKEY_CURRENT_USER\Software\Microsoft\
WAB
HKEY_CURRENT_USER\Software\Microsoft\
WAB\WAB4
HKEY_CURRENT_USER\Software\Microsoft\
WAB\WAB4\Wab File Name
HKEY_CURRENT_USER\Software\Microsoft\
{random}
It adds the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\
WAB\WAB4
OlkContactRefresh = "0"
HKEY_CURRENT_USER\Software\Microsoft\
WAB\WAB4
OlkFolderRefresh = "0"
HKEY_CURRENT_USER\Software\Microsoft\
WAB\WAB4\Wab File Name
(Default) = "%Application Data%\Microsoft\Address Book\{user name}.wab"
It creates the following registry entry(ies) to bypass Windows Firewall:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%Windows%\explorer.exe = "%Windows%\explorer.exe:*:Enabled:Windows Explorer"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\GloballyOpenPorts\
List
{port1}:UDP = "{port1}:UDP:*:Enabled:UDP {port1}"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\GloballyOpenPorts\
List
{port2}:TCP = "{port2}:TCP:*:Enabled:TCP {port2}"
Dropping Routine
This spyware drops the following files:
- %Application Data%\Microsoft\Address Book\{user name}.wab
- %User Temp%\tmp{random}.bat - Used to delete its initially executed copy
- %Application Data%\{random file name2}.{random}
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)
Information Theft
This spyware s configuration file contains the following information:
- .bankofamerica.com
- http://.macys.com/.ognc?
- http://.mail.yahoo.comco.uk/
- http:///googleapis/ajax/libs/jquery/1.7.1/jquery.min.js
- http:///logs/dtukvbv/in.php?
- http:///logs/dtukvbv/js.php?
- http:///logs/galerter/in.php?
- http:///logs/in.php?
- http:///logs/moneypak/in.php?
- http:///logs/ukvbvg/in.php?
- http:///logs/ukvbvg/js.php?
- http:///nwolb/gate.php?
- http:///rpl_bib/gate.php?
- http:///rpl_bib/js.php?
- http:///rpl_cashmanagement/gate.php?
- http:///rpl_cashmanagement/js.php?
- http:///rpl_lloyds_bos/gate.php?
- http:///rpl_lloyds_bos/js.php?
- http:///rplg/get.php?
- http:///rplg/js.php?
- http:///rplhsbcbusiness/get.php?
- http:///rplhsbcbusiness/js.php?
- http:///rplkod/get.php?
- http:///rplkod/js.php?
- http:///rplrch/get.php?
- http:///rplrch/js.php?
- http:///rpluk/get.php?
- http:///rpluk/js.php?
- http:///scripts/default0.js?
- http://amazon./
- http://businessaibie/businesslogin
- http://deutsche-bank.de/
- http://ebay./
- http://empresa.lacaixa.es/
- http://facebook./
- http://gbw.it
- http://mail.aol.comco.uk/
- http://mail.google.com/mail/
- http://my.ebay.com/ws/eBayISAPI.dll?CurrentPage=MyeBayPersonalInfo\x1cMyeBaySummaryMyeBayNextSummary
- http://my.ebay.com/ws/eBayISAPI.dll?MyeBay
- http://netbanking.sparkasse.at/hilfe/sicherheit
- http://paypal./
- http://postbank.bg
- http://savingsloans.com.au/PCLink_Check.aspx?p=52
- http://ubs.com/
- http://www.atime.it/
- http://www.business.natwest.com/afb/public/nwb/AFBRoot/mainhome/2morover/accounts
- http://www.citibank.com.au/australia/signon1/
- http://www.co-operativebank.co.uk/corporate/fdo-noticeboard
- http://www.communitycps.com.au/aspx/banking_view.aspx
- http://www.credem.it/secure/Forms/Privati/Pagine/
- http://www.cybusinessonline.co.uk/essential-maintenance/fraud-message
- http://www.ebay.com/
- http://www.firsttrustbank.co.uk/FTBusinessPortal
- http://www.inbiz.intesasanpaolo.com/
- http://www.jp-bank.japanpost.jp/direct/pc/security/dr_pc_sc_start.html
- http://www.keljob.com/ecommerce/customer/account/login
- http://www.lloydsbankcommercial.com/servicemessage
- http://www.membersequitybank.com.au/webBanking
- http://www.mizuhobank.co.jp/.html
- http://www.mizuhobank.co.jp/direct/start.html
- http://www.montepio.pt/SitePublico/pt_PT/empresas
- http://www.ntrs\x1cnortherntrust.com/\x1cptl/pcl/login.jsp?
- http://www.rabobank.nl/bedrijven/uitgelogd
- http://www.rabobank.nl/particulieren/uitgelogd
- http://www.secure.hsbcnet.com/uims/content/public/hibm/logon/logon.html
- http://www.wellsfargo.com/com
- http://wwwcitibankcom/us/citibusinessonline/index.htm?
- http://wwwrbs.co.uk/corporate/electronic-services/g1/bankline.ashx
- httpaccesd.affaires.desjardins.com
- httpaccesd.desjardins.comcooperADOperations
- httpaccesd.desjardins.comModifierQuestRepAuthForte
- https://.americanexpress.com
- https://.anz.com/IBAU/
- https://.anz.com/IBAU/BANKAWAYTRAN
- https://.anztransactive.anz.com/saam/SAAMLogin/Login.fcc
- https://.bankofamerica.com
- https://.bankofamerica.com/login/sitekeyskmaint.go
- https://.bankofamerica.com/myaccounts/
- https://.banquepopulaire.fr/auth/UI/Login
- https://.bk.mufg.jp/ib/dfw/APL
- https://.bmo.com
- https://.cedacri.it/hb/main/home.seam
- https://.cedacri.it/HBNET/CONFIG.NSFmsgalertlogon.html
- https://.corpower.org/SecureLogonMultiAuth.aspx?
- https://.credit-agricole.fr/stb/entreeBam
- https://.csebo.it/webcontoc/context
- https://.de/portal/p
- https://.de/portal/portal
- https://.de/ptlweb/WebPortal
- https://.directnet.com/dn/c/cls/auth
- https://.ebanking-services.com/.aspx
- https://.gruppocarige.it/vbank/
- https://.lloydstsb.co.uk/personal/a/logon/entermemorableinformation.jsp
- https://.ml.com/ClientFederation/Loginwidget.aspx
- https://.onlineaccess1.com//Authentication/Login.aspx
- https://.pncs.com.au/806015v47/
- https://.royalbank.com
- https://.scotiaonline.scotiabank.com
- https://.td.com/waw/idp/login.htm
- https://.wblnkblilk\x1d.com/Core/Authentication/MFAPassword.aspx
- https://.wellsfargo.com/
- https://.westpac.com.au/esis/Login/SrvPage
- https://.westpac.com.au/wtwt/startpage
- https://.worldsourcefinancial.com/uiw/LoginFailedLogin.html?
- https:///cmserver/verify.cfm
- https:///ebc_ebc1961/
- https:///FBONav?CreateDocument&login=1&id=&action=&pswdispo=
- https:///fi/bb/logon
- https:///FOSConvertiFormato?CreateDocument&login=1&id=&action=&pswdispo=
- https:///FPA02F24Action?CreateDocument&login=1&id=&action=&pswdispo=
- https:///FPABODFDistinta?CreateDocument&login=1&id=&action=&pswdispo=
- https:///FPABODFSingolo?CreateDocument&login=1&id=&action=&pswdispo=
- https:///FPABonificoEstero?CreateDocument&login=1&id=&action=&pswdispo=
- https:///FPARibaOnLine?CreateDocument&login=1&id=&action=&pswdispo=
- https:///FPFribaDistinta?CreateDocument&login=1&id=&action=&pswdispo=
- https:///onlineserv/CM/adminLogin.cgi
- https:///onlineserv/CM/index.cgi
- https:///PassMarkRSAToken.aspx?
- https:///portal/portal
- https:///ptlweb/WebPorta
- https:///pub/html/rsa/pt/RSApm/loginLoginRSAIDloginID.html
- https:///script/Login2Servlet?
- https:///tdsecure/intro.jsp
- https:///wcmfd/wcmpw/Login
- https://1111111111111111kunde.comdirect.de/itx/kontouebersicht/anzeige
- https://111111111111kunde.comdirect.de/itx/persoenlicherbereich/anzeige
- https://111111111111kunde.comdirect.de/itx/ueberweisung
- https://111111111111kunde.comdirect.de/tx/brokerage/konto
- https://111111kunde.comdirect.de
- https://3ds.cardcenter.ch/acspage/cap?RID=
- https://3ds.jccsecure.com/acspage/cap?RID=
- https://3dsecure.acb.com.vn/ACB/jsp/
- https://3dsecure.icscards.nl/acspage/cap?RID=
- https://3dsecure.ing.ro/acs/auth/
- https://3dsecure.paylife.at/acspage/cap?RID=
- https://abnamro.nl/nl/ideal/identification.do
- https://abnamro.nl/nl/logon/identificationhtml
- https://absonline.absbuildingsociety.com.au/login.asp
- https://accesd.desjardins.com//accesd/
- https://accesd.desjardins.com/cooperADOperations/OperationImmediate.do
- https://accesd.desjardins.com/tisecuADGestionAcces/logoff.do
- https://accesd.desjardins.com/tisecuADGestionAcces/LogonAuthForteADP.do?msgId=logonValiderIdentit
- https://accesd.desjardins.com/tisecuADGestionAcces/ModifierQuestRepAuthForte.do
- https://access.imb.com.au/personal
- https://access.jpmorgan.com/jpmalogon
- https://access.rbsm.com/logon/passworddp300/.fcc?
- https://accessonline.abnamro.com/fss/open/welcome.do
- https://acs-ch.cal-online.co.il/acspage/cap?RID=
- https://acs.icicibank.com/acspage/cap?RID=
- https://acs.netcetera.ch/acspage/cap?RID=
- https://acs.onlinesbi.com/sbi/jsp/
- https://acs.swisscard.ch/acspage/cap?RID=
- https://acs1.viseca.ch/acspage/cap?RID=
- https://acs3.3dsecure.no/mdpayacs/pareq
- https://acs4.3dsecure.no/mdpayacs/pareq
- https://alphabank.cardinalcommerce.com/transaction/
- https://apib.anz.com/apinetbank/StartupLoginEsInetANZ.aspx?
- https://areariservata.bancamarche.it/wps/portal/login//corporate/
- https://areariservata.bancamarche.it/wps/portal/login//corporatefamily/
- https://areariservata.divisioneconsumer.it/
- https://areattiva.agosweb.it/
- https://authmaster.nationalcity.com/tmgmt/ogin.
- https://avantcard.cardinalcommerce.com/transaction/
- https://b1ext.rflbiab.com.au/mcu-prod/UI/
- https://bancaincasa.sba.bcc.it//
- https://bancaincasa.sba.bcc.it//htdocs/index_ita.htmlloginVersion.html
- https://bancolombia.olb.todo1.com/html/navigation/leftmenu.jsp
- https://bancolombia.olb.todo1.com/olb/Authentication
- https://bancolombia.olb.todo1.com/olb/GetUserProfile
- https://bancolombia.olb.todo1.com/olb/Login
- https://bancolombia.olb.todo1.com/olb/RSACheckUserChallengeQuestions
- https://bancopostaimpresaonline.poste.it/bpiol/
- https://bancopostaimpresaonline.poste.it/bpiol/lastFortyMovementsBalance.do?method=loadLastFortyMovementList
- https://bancopostaimpresaonline.poste.it/bpiol/login.do?method=verify
- https://bancopostaimpresaonline.poste.it/bpiol/method
- https://bancopostaimpresaonline.poste.it/bpiol/switch.do?method=switchApp&code=HOME&FUNCTIONCODESELECTED=HOME
- https://bancopostaimpresaonline.poste.it/js/menu/jscript/global.js
- https://bancopostaimpresaonline.poste.it/RBWeb/HOM/contiCorrenti.do?method=contiCorrenti
- https://bancopostaimpresaonline.poste.it/RBWeb/HOM/service.do?admi
- https://bancopostaimpresaonline.poste.it/RBWeb/RBLite/ContiCorrenti/lmf.jsp
- https://bancopostaimpresaonline.poste.it/RBWeb/RBLite/ContiCorrenti/lsf.jsp
- https://bancopostaimpresaonline.poste.it/RBWeb/RBLite/ContiCorrenti/scc.jsp
- https://bancopostaonline.poste.it/bpol/cartepre/servizi/cartapostepay/cartapostepayBenvenuto
- https://bancopostaonline.poste.it/bpol/cartepre/servizi/cartapostepaylistamovimenti
- https://bancopostaonline.poste.it/bpol/cartepre/servizi/cartapostepaysaldo
- https://bank.barclays.co.uk/olb/auth/LoginLink.action
- https://bank.barclays.co.uk/olb/balances/PersonalFinancialSummary.action
- https://bankaljazira.cardinalcommerce.com/transaction/
- https://bankieren.mijn.ing.nl/particulier
- https://bankieren.rabobank.nl/klanten
- https://banking.bank1saar.de
- https://banking.bankofscotland.co.uk/Logon/logon.aspx
- https://banking.bankofscotland.co.uk/Logon/Logon.aspx?
- https://banking.bankofscotland.co.uk/ogon/ogon.aspx
- https://banking.berliner-bank.de/trxm
- https://banking.berliner-bank.de/trxm/bb
- https://banking.berliner-sparkasse.de/portal/portal/
- https://banking.commercebank.com/CBI/Accounts/CBI/Summary.aspx
- https://banking.dkb.de/dkb
- https://banking.dkb.de/portal/portal
- https://banking.flessabank.de
- https://banking.gecapital.de
- https://banking.gecapital.de/entry
- https://banking.gecapital.de/portal
- https://banking.lloydsbank.com/Logon/logon.aspx
- https://banking.lloydsbank.com/Logon/logon.aspx?
- https://banking.lloydsbank.com/ogon/ogon.aspx
- https://banking.mashreqbank.com/FID/login.aspx
- https://banking.postbank.de/app/kontoumsatz.umsatz.initfinanzstatus.initnachrichtenbox.input.do
- https://banking.postbank.de/app/legitimation.input.do
- https://banking.postbank.de/app/mtan.listen.input.do
- https://banking.postbank.de/rai
- https://banking.postbank.de/rai/
- https://banking.postbank.de/rai/login
- https://banking.postbank.de/rai/StartPageFinanzstatusPage
- https://banking.raiffeisen.at/logincenter
- https://banking.securebnl.it/wps/portal/
- https://banking.smile.co.uk
- https://banking.sparda.de
- https://banking.triodos.co.uk/ib-seam/login.seam?loginType=dp550
- https://banklinknet
- https://banklinknet2.cariparma.it/NET2/Logoin
- https://bbank.ybonline.co.uk/ifdu/ifdlm-web/login.ctl
- https://bbo.1stsource.com/login.cfm
- https://betalen.rabobank.nl/ideal-betaling
- https://biz.hkbea-cyberbanking.com/servlet/MA01Show?
- https://bizibanking.bangkokbank.com/bblamsui/Signon.aspx
- https://bizonline.tcbk.com/tcbsb_corporatebankingweb/core/login.aspx?
- https://bmo.com
- https://bnidirect.bni.co.id/corp/common/login.do?action=login
- https://bnycash.bankofny.com/
- https://boveda.banamex.com.mx/
- https://boveda.banamex.com.mx/serban/index.htm
- https://bpmbanking.itHomePriv
- https://bpmbanking.itHomePrivata.do
- https://business-eb.ibanking-services.com/K1/sb_login.jsp?
- https://business.bnl.it/bway/access/login
- https://business.bnl.it/login/SMBway.jsp
- https://business.co-operativebank.co.uk/corp/BANKAWAY
- https://business.danskebank.co.ukcom/pub/logon/logon.aspx
- https://business.lloydsbank.co.uk/businessaccount_
- https://business.memberdirect.net/servlet/Logonbusiness/default.jsp?
- https://business.santander.co.uk/LGSBBI_NS_ENS/ChannelDriver.ssobtoLOGON
- https://businessbankingcenter.synovus.com/commercial/portal/login/basic/index.php
- https://businessbankingsoc.tdcommercialbanking.com/WBB/LoginDisplay?;
- https://businessonline.huntington.com/BOLHome/BusinessOnlineLogin.aspx
- https://businessonline.mutualofomahabank.com/cb/pages/jsp-ns/login.jsp
- https://businessonline.tdbank.com/corporatebankingweb/core/login.aspx
- https://businessonline.westpac.com.au/esis/furniture/v2.12/ESI/scripts/esi_writeKeypad.js
- https://businessonline.westpac.com.au/esis/furniture/v2.12/scripts/jquery-1.3.2.min.js
- https://businessonline.westpac.com.au/esis/Login/SrvPage
- https://businessportal.mibank.com/oracleAccessManager/securid-forms-adforest/login.html?
- https://bvi.bnc.ca
- https://caixaebankingonline.cgd.pt/ceb/login.seam
- https://cap.securecode.com/acspage/cap?RID=
- https://capitalone360.com/myaccount/
- https://cards.indusind.com/IndusindBank/jsp/
- https://cardsecurity.enstage.com/ACSWeb/EnrollWeb/AndhraBank/server/AccessControlServer
- https://cardsecurity.enstage.com/ACSWeb/EnrollWeb/BOB/server/AccessControlServer
- https://cardsecurity.enstage.com/ACSWeb/EnrollWeb/BOBCards/server/AccessControlServer
- https://cardsecurity.enstage.com/ACSWeb/EnrollWeb/CanaraBank/server/AccessControlServer
- https://cardsecurity.enstage.com/ACSWeb/EnrollWeb/ComBank/server/AccessControlServer
- https://cardsecurity.enstage.com/ACSWeb/EnrollWeb/CorporationBank/server/AccessControlServer
- https://cardsecurity.enstage.com/ACSWeb/EnrollWeb/DenaBank/server/AccessControlServer
- https://cardsecurity.enstage.com/ACSWeb/EnrollWeb/FederalBank/server/AccessControlServer
- https://cardsecurity.enstage.com/ACSWeb/EnrollWeb/IndianBank/server/AccessControlServer
- https://cardsecurity.enstage.com/ACSWeb/EnrollWeb/IOB/server/AccessControlServer
- https://cardsecurity.enstage.com/ACSWeb/EnrollWeb/JKBank/server/AccessControlServer
- https://cardsecurity.enstage.com/ACSWeb/EnrollWeb/KotakBank/server/AccessControlServer
- https://cardsecurity.enstage.com/ACSWeb/EnrollWeb/KVB/server/AccessControlServer
- https://cardsecurity.enstage.com/ACSWeb/EnrollWeb/SeylanBank/server/AccessControlServer
- https://cardsecurity.enstage.com/ACSWeb/EnrollWeb/UCOBank/server/AccessControlServer
- https://cardsecurity.standardchartered.com/acspage/cap?RID=
- https://cardservicing.mint.co.uk/RBSG_Consumer/Login.do
- https://cartabancopostapiu.compassonline.it/
- https://cashmanagement.barclays.net/portalservices/forms/login.pser
- https://cashmanager.mizuhoe-treasurer.com/mz/servlet/SLogin?
- https://cashproonline.bankofamerica.com/AuthenticationFrameworkWeb/cpo/login/public/
- https://cashproonline.bankofamerica.com/AuthenticationFrameworkWeb/cpo/login/public/loginMain.faces
- https://cbfm.saas.cashfac.com/cbfm/
- https://cbi.bpmbanking.it/eb/esitoNonStipendi.do
- https://cbi.bpmbanking.it/eb/storicoDistinte.do
- https://cbi.electracard.com/cbi/jsp/
- https://cbionline.cbi.ae/bus/security/companyLogin.jsp
- https://cbs.fidelitybanknc.com/cb/servlet/cb/loginfcbnc.jsp?
- https://cbs.ncbchina.cn/corporbank/login_basic_e.jsp?
- https://cedacri.itHOME.NSF/FMsgAlertLogonInf?OpenForm&Login=1
- https://chaseonline.chase.com/MyAccounts.aspx
- https://cib.bankofthewest.com/K/\x1csa/login.jspindex.html?
- https://cib.bochk.com/login/cib_login012_.jsp?
- https://cib.bochk.com/login/fis/cib_login012_.jsp?
- https://cib.icicibank.ca/CORPCIBCA/BANKAWAY?;
- https://cib.icicibank.com.sg/CIBSGAPP/BANKAWAY?
- https://cib.uab.ae/
- https://client.schwab.com/Accounts/Summary/Summary.aspx
- https://clientlogin.ibb.ubs.com/login?
- https://cmol.bbt.com/auth/prompt.tb
- https://cms.us.bk.mufg.jp/cbbtmu/logon/sbuser
- https://co.uk/personal/a/account_details
- https://co.uk/personal/a/change_MI
- https://co.uk/personal/a/changememorableinformation/successmemorableinformation
- https://co.uk/personal/a/make_transfer
- https://co.uk/personal/a/your_personal_details
- https://co.uk/personal/logon/login.jsp
- https://commercial.bnc.ca/auth/Login
- https://commercialservices.mandtbank.com/keypad/keypadCommon.jsp;?
- https://commerzbank.de
- https://commerzbanking.de
- https://commerzbanking.de/js_bb/util.js
- https://comnet.pbz.hr/PbzComnetWeb/app/logon.html
- https://connect.barclays.com/authen
- https://connexis.bnpparibas.com/
- https://core.cedacri.it/CORE//LogonStep
- https://core.cedacri.it/CORE/main/Workspace
- https://corp.millenniumbcp.pt/_login/MPTCPlogin
- https://corpbank.electracard.com/corpbank/jsp/
- https://corpebankasia.icbc.com.cn/icbc/corporbank/index.jsp?
- https://corporate.adcb.com/corporateWeb/
- https://corporate.bpn.pt/CorporateBanking//autenticacao
- https://corporate.cbq.com.qa
- https://corporate.friuladria.it
- https://corporate.friuladria.it/NET2/Logoin
- https://corporate.metrobankdirect.com/corp_login_page.asp
- https://corporate.santander.co.uk/LOGSCU_NS_ENS/
- https://corporate.santander.co.uk/LOGSCU_NS_ENS/BtoChannelDriver.bto?dse_operationName=OP_LOG_ON
- https://cosacs.electrapay.com/CosmosBank/jsp/
- https://de/portal/portal
- https://DesktopDefault
- https://direct.53com/direct/logon53Direct.jsp
- https://direct.jp-bank.japanpost.jp/tp1web/U.do
- https://direct.smbc.co.jp/
- https://direct11.bk.mufg.jp/ib/dfw/APL/
- https://direkt.postbank.de/direktportalApp/application
- https://direkt.postbank.de/direktportalApp/index.jsp
- https://direkt.rba.hr/cgi-bin/ppz2/start/rbat.jsp
- https://e-finance.postfinance.ch/ef/securesecure/fp/html/
- https://e-finance.postfinance.ch/public/fp/html/static/ch.postfinance.fipo/scripts/main.min..js
- https://e-finance.postfinance.ch/secure/fp/html/e-finance
- https://eadibcorp.adib.ae/cb/servlet/cb/jsp-ns/login.jsp
- https://eadibcorp.adib.ae/cb/servlet/cb/jsp-ns/login2.jsp
- https://easyweb.tdcanadatrust.com/MaintainSecurityOptionsServlet
- https://easyweb.tdcanadatrust.com/servlet/ca.tdbank.banking.servlet.FinancialSummaryServlet
- https://eb.bankcomm.com.hk/eb/login.action?
- https://ebank.adcu.com.au/mvp352/Login.asp
- https://ebank.eonbank.com.my/cashmgmt/security/commonLogin.jsp?
- https://ebank.kasikornbankgroup.com/kbiznet/login.html
- https://ebank.spdb.com.cn/ent//login/queryosa_query.jsp
- https://ebanking-ch.ubs.com/workbench/Index.do
- https://ebanking.bawagpsk.com
- https://ebanking.blombankegypt.com/ceb/cebcw/controller.jpf
- https://ebanking.clarisbanca.it/wps/wcm/connect/web+content/GVB-LoginHB/GVB-Login/LoginGVB/
- https://ebanking.cpb.gr/ui/tellerb2c/b2c/
- https://ebanking.customscu.com.au/Login.asp
- https://ebanking.eurobank.gr/ebanking/js/ebanking_utils.js
- https://ebanking.eurobank.gr/ebanking/login.faces
- https://ebusiness.hangseng.com/1/2/
- https://ecash./ABCorporate/Core/signindefault.aspx?
- https://edidelhkglonsta.my.rbs.com
- https://egyptnet.bnpparibas.com/part//dciweb.htm?p0=idesai.tht
- https://elementa.otpbanka.hr/gradjani//foweb/nb/eLEMENTa
- https://elink.somb.com.au/mvpSOMB/Login.asp
- https://empresa.lacaixa.es/
- https://empresas.gruposantander.es/Estatico/BEComponentesGeneralesAccesoSEI/Html/webempresas.htm
- https://entreprises.societegenerale.fr
- https://entry11.bk.mufg.jp/ibg/dfw/APLIN/loginib/login
- https://eurobankmc.cardinalcommerce.com/
- https://eurobankvisa.cardinalcommerce.com/
- https://express.53.com/portal/auth/login/Login
- https://fdonline.co-operativebank.co.uk/corp/BANKAWAY
- https://fes.rakuten-bank.co.jp/MS/main/COMMAND=
- https://fes.rakuten-bank.co.jp/MS/main/fcs/rb/fes/jsp/mainservice/Security/LoginAuthentication/Login/Login.jsp
- https://fiepay.mashreqbank.com/Login.asp
- https://finanzportal.fiducia.de
- https://finanzportal.fiducia.de/
- https://finanzportal.fiducia.de/entry
- https://finanzportal.fiducia.de/portal
- https://fineco.it
- https://fps.fidelity.com/ftgw/Fps/Fidelity/RSAAnalyzeChallengeRetail/Maintain/Init
- https://globalaccess.firstglobal-bank.com/internetbanking/ENULogin.jsp
- https://gruppocarige.corporate.ssb.net//desktopdefault.asp
- https://halifax-online.co.uk/personal
- https://hb./LOGIN2.0/RTLOGIN/ASPX/
- https://hb.bancareale.it
- https://hbclassic.bpergroup.net
- https://hbclassic.bpergroup.net//run?command=MOV_CC
- https://hbnet.cedacri.it//home.nsf/Login=1
- https://hbnet.cedacri.it/06045/home.nsf/FMsgAlertLogonFrameSet?OpenForm
- https://hbnet.cedacri.it/CreateDocumentLogin
- https://hbnet.cedacri.it/HBNET/CONFIG.NSF/risorse/-MSGALERTLOGON/$FILE/msgalertlogon.html
- https://hbnet.cedacri.it/Main?OpenNavigator
- https://hbpaschiinaziendacorporate./LOGIN2.0/RTLOGIN/ASPX/
- https://hiring.monster.com/ogin.aspx
- https://home.cbonlineco.uk/ralu/reglm-web/login.ctl
- https://home.cybusinessonline.co.uk/lmgru/ceblm-web/
- https://home.ybonlineco.uk/ralu/reglm-web/login.ctl
- https://homebank.tsbbank.co.nz/online/HomeBServlet
- https://hsbc.ca/1/2/!ut/
- https://hypovereinsbank.deview=
- https://i3d.borica.bg/acspage/cap?RID=
- https://ib.absa.co.za/ib/Authenticate.do
- https://ib.cim-italia.it/eb/accessologindo
- https://ib.mps.it/web/ib/login
- https://ib.nab.com.au/nabib/acctInfo_acctBal.ctl
- https://ib.nab.com.au/nabib/index.jsplogin.ctl?
- https://ib.npbs.co.uk/IB.Web/Login.aspx
- https://ib.swedbank.lv
- https://ib.teacherscreditunion.com.au/
- https://ibank.agribank.com.vn/ibank/index.jsp
- https://ibank.b-e.com.au/ibank/login.asp
- https://ibank.barclays.co.uk/olb//Login
- https://ibank.bcu.com.au/Login.asp
- https://ibank.bib.barclays.com/logon
- https://ibank.bib.barclays.com/logon/
- https://ibank.bri.co.id/cms/
- https://ibank.hncb.com.hk/netbank/pages/jsp/HKLogin/html/HKLogin_en.jsp?
- https://ibank.humebuild.com.au/login.asp
- https://ibank.nbg.gr/
- https://ibank.nbg.gr/wps/myportal/!ut/
- https://ibank.nbg.gr/wps/portal/LoginPageMap
- https://ibank.standardchartered.com.hk/nfs/login.htm?
- https://ibank.standardchartered.com.sg/nfs/login.htm?
- https://ibanking..com.au/ibank/loginPagelogonAction.action
- https://ibanking.banksa.com.au/InternetBanking/applySMSAlert.do
- https://ibanking.banksa.com.au/InternetBanking/viewAccountPortfolio.do
- https://ibanking.cairnspenny.com.au/Login.asp
- https://ibanking.sbc-bank.com/iBanking/App_Files/Login/Login.aspx
- https://ibanking.stgeorge.com.au/InternetBanking/viewAccountPortfolio.do
- https://ibb.aibgb1.co.uk/ibb/controller
- https://ibb.firsttrustbank1.co.uk/ibb/controller
- https://ibbweb.tecmarket.it/tmibbwebsecurity//
- https://ibqmc.cardinalcommerce.com/
- https://ibqvisa.cardinalcommerce.com/
- https://ibs.bankwest.com.au//AccountInformation//Balances.aspx
- https://ibs.bankwest.com.au/BWLogin/.aspx?
- https://ibusinessbanking.aib.ie/ibb/controller
- https://icscards.nl/nlic/portal/ics/login
- https://ideal.dbs.com/loginSubscriber/login/SubscriberLoginServletpin.jsp
- https://ideal.ing.nl/internetbankieren/SesamLoginServlet
- https://ideal.snsreaal.nl/secure/sns/Pages/Payment
- https://ideal.snsreaal.nl/secure/srb/Pages/Payment
- https://ihb.cedacri.it/hb/authentication/login-PIN_UTENTE
- https://ihb.cedacri.it/hb/authentication/login.seam
- https://ihb.cedacri.it/hb/main/
- https://inetbnkp.adelaidebank.com.au/OnlineBanking/AdBank
- https://inetbnkp.adelaidebank.com.au/OnlineBanking/AdBank?xid=
- https://internet-banking.hk.dbs.com/IB/Welcome?
- https://internetbank.swedbank.se/idp/portal/identifieringidp/idp/dap1
- https://internetbanken.privat.nordea.se/nsp/login
- https://internetbanking.firstoptioncu.com.au/mvptab/login.asp
- https://internetbanking.gad.de/ptlweb
- https://internetbanking.securetrustbank.com/SecureTrust/SecureTrust
- https://internetbanking.suncorpbank.com.au
- https://internetbanking.suncorpbank.com.au/?
- https://internetbanking.suncorpbank.com.au/DisplayAccountLimits
- https://internetbanking.suncorpmetway.com.au/sml/logon.asp
- https://invest.ameritrade.com/grid/p/site
- https://is2.cuviewpoint.net/firebrigades/
- https://is2.cuviewpoint.net/mvpamp/
- https://is2.cuviewpoint.net/mvpamp/login.asp
- https://is2.cuviewpoint.net/mvpcentralmurray/Login.asp
- https://is2.cuviewpoint.net/mvpcompanion/Login.asp
- https://is2.cuviewpoint.net/mvpcomtax/Login.asp
- https://is2.cuviewpoint.net/mvpcwcul/Login.asp
- https://is2.cuviewpoint.net/mvpencompass/login.asp
- https://is2.cuviewpoint.net/mvpfamilyfirst/Login.asp
- https://is2.cuviewpoint.net/mvpfcc/Login.asp
- https://is2.cuviewpoint.net/mvpford/login.asp
- https://is2.cuviewpoint.net/mvpgm/login.asp
- https://is2.cuviewpoint.net/mvpheritageisle/login.asp
- https://is2.cuviewpoint.net/mvpindustriesmutual/Login.asp
- https://is2.cuviewpoint.net/mvplucu/Login.asp
- https://is2.cuviewpoint.net/mvpmaccu/Login.asp
- https://is2.cuviewpoint.net/mvpmaritime/login.asp
- https://is2.cuviewpoint.net/mvpmaroondah/login.asp
- https://is2.cuviewpoint.net/mvpphcu/Login.asp
- https://is2.cuviewpoint.net/mvpplenty/login.asp
- https://is2.cuviewpoint.net/mvpqldprof/Login.asp
- https://is2.cuviewpoint.net/mvpsge/Login.asp
- https://is2.cuviewpoint.net/mvpstmarys/Login.asp
- https://is2.cuviewpoint.net/mvpswc/login.asp
- https://is2.cuviewpoint.net/mvptartan/login.asp
- https://is2.cuviewpoint.net/mvpwaw/Login.asp
- https://is2.cuviewpoint.net/mvpwecu/Login.asp
- https://isi-business.sparkasse.it/CORE//LogonStep
- https://isi-netbusiness.sparkasse.it/Home/Introduzione/Visualizza.aspx?ID_Primaria=
- https://jpmorgan.chase.com/Secure/Summary
- https://kfh-b.cardinalcommerce.com/transaction/
- https://ktt.key.com/ktt/cmd/logon
- https://ktt.key.com/ktt/cmd/logonFromKeyComNew
- https://kunde.comdirect.de
- https://kunde.comdirect.de/ccf/modules/js/cp_core.module.js
- https://kunde.comdirect.de/ccf/plugins/js/jquery.cdb.commandlink.js
- https://kunde.comdirect.de/ccf/plugins/js/jquery.cdb.topframechecker.js
- https://kunde.comdirect.de/itx/geldanlagen/auflisten
- https://kunde.comdirect.de/itx/kontouebersicht/anzeige
- https://kunde.comdirect.de/itx/persoenlicherbereich/anzeige
- https://kunde.comdirect.de/itx/posteingangsuche
- https://kunde.comdirect.de/itx/ueberweisung
- https://kunde.comdirect.de/itx/umsaetze/auflisten
- https://kunde.comdirect.de/itx/versandoptionen/verwalten
- https://kunde.comdirect.de/lp/wt
- https://kunde.comdirect.de/lp/wt/login
- https://kunde.comdirect.de/tx/brokerage/konto
- https://latinamerica.citibank.com/MXGCB/LATAM/edelivery/ChangeFlowToCancelService.do
- https://latinamerica.citibank.com/MXGCB/LATAM/edelivery/CustomerChannelProcess.do
- https://latinamerica.citibank.com/MXGCB/LATAM/edelivery/FinalizeFlow.do
- https://latinamerica.citibank.com/MXGCB/LATAM/edelivery/InitializeCitimailQH.do
- https://latinamerica.citibank.com/MXGCB/LATAM/edelivery/InitializeFlow.do
- https://latinamerica.citibank.com/MXGCB/LATAM/edelivery/ShowIndex.do
- https://latinamerica.citibank.com/MXGCB/LATAM/edelivery/StatementsProcess.do
- https://leumionline.bankleumi.co.uk/my.policy
- https://lloydsbank.co.uk/personal
- https://lloydslink.online.lloydsbank.com/Logon/Logon.jsp
- https://lloydslink.online.lloydsbank.com/xlWebApp/
- https://login.commbiz.commbank.com.au/?
- https://login.fidelity.com/ftgw/Fas/Fidelity/RtlCust/Login/Init
- https://login.smartbusiness.ae/
- https://logon.reflex.rhbbank.com.my/rhbcams/corporate/login.jsp
- https://marfinbank.cardinalcommerce.com/transaction/
- https://mcm.bankmandiri.co.id/corp/common/login.do?action=login
- https://meine.deutsche-bank.de/trxm/db
- https://meine.norisbank.de/trxm/noris
- https://member.neteller.com/moneyIn
- https://mib.bankmandiri.co.id/sme/common/login.do?action=login
- https://mijn.ing.nl/internetbankieren/SesamLoginServlet
- https://mvp.bdcu.com.au/mvpbdcu/login.asp
- https://mvp.bigsky.net.au/mvpbscu/Login.asp
- https://mvp.gosfordcreditunion.com.au/mvpgosford/Login.asp
- https://mvp.novacu.com.au/mvpnova/Login.asp
- https://mvp1.sccu.com.au/mvpsccu/Login.asp
- https://my-db-direct.db.com/u/eb/Login_Main.serv
- https://my.commbank.com.au/netbank/Portfolio/Home/Home.aspx
- https://my.statestreet.com/secid-smpwservicesmain-smpwservices.fcc?
- https://mybusinessbank.co.uk
- https://nabconnectnabcomau/auth/login/.do?
- https://nbf.ae/corporate/BANKAWAY;?
- https://nbqonline.ae/corp/BANKAWAY?Action.CorpUser.Init
- https://net24.montepio.pt/Net24-Web/func/acesso/net24eLoginTV.jsp
- https://netbank.communityfirst.com.au/mvpcfcu/Login.asp
- https://netbank.qpcu.org.au/myviewpoint/
- https://netbank.selectcu.com.au/mvpscc/login.asp
- https://netbanking.hdfcbank.com/netbanking/
- https://netbanking.mashreqbank.com/B001/SMELogin.jsp
- https://netbanking.mashreqbank.com/EntlWeb/IbsJsps/orbilogin.jsp
- https://netbanking.sparkasse.at/
- https://netbanking.sparkasse.at/casserver/login
- https://netbanking.sparkasse.at/sPortal/
- https://netbranch.resourcescu.com.au/mvpRCU/Login.asp
- https://netdirect.maitlandmutual.com.au/Login.asp
- https://netsafe.hdfcbank.com/ACSWeb/jsp/
- https://netteller2.tsw.com.au/704062V45/ntv4.asp?wci=entry
- https://netteller2.tsw.com.au/802214V47/ntv47.ASP?WCI=entry
- https://netteller2.tsw.com.au/TRNC/ntv43.asp?wci=entry
- https://new.credem.it/Alert_FE/Default.aspx
- https://nowbankingpiccoleimprese..it
- https://nowbankingpiccoleimprese.cariparma.itasp
- https://nowbankingprivati.cariparma.it/IT/Pagine/Login.aspx
- https://nuovosito.fineco.it/
- https://oltx.fidelity.com/ftgw/fbc/of
- https://online-.unicredit.it/
- https://online-business.bankofscotland.co.uk/business/logon/login.jsp?
- https://online-business.tsb.co.uk/business/logon/login.jsp
- https://online-retailprivate\x1dsmallbusiness.unicredit.it/login.htm
- https://online.adambank.com/eBankingAdamLogin/login
- https://online.americanexpress.com/myca/?request_type=authreg_acctAccountSummary
- https://online.bankofcyprus.co.uk/netteller/login.faces
- https://online.cibeg.com/MCP
- https://online.citibank.com/
- https://online.citibank.com//portal/Home.do
- https://online.citibank.com/US/CBOL/ain/dashboard/flow.action
- https://online.citibank.com/US/JPS/portal/Home.do
- https://online.citibank.com/US/JPS/portal/Index.do
- https://online.citibank.com/US/JRS/portal/menu.do?ID=Support
- https://online.citibank.com/US/JSO/signon/LocaleUsernameSignon.do
- https://online.corp.westpac.com.au/.asp
- https://online.corp.westpac.com.au/furniture/scripts/jquery-1.3.2.min.js
- https://online.coutts.com/eBankingCouttsLogin/login
- https://online.crfossano.it/nb/it/home2.jsp
- https://online.dbank.bg/main/main.asp
- https://online.dbank.bg/main/main_new.asp
- https://online.dib.ae/webapplication.ui/localoperations/login/corporateloginpage.aspx
- https://online.fgb.ae/fgbcorporate/CorpLogin.htm?
- https://online.mecu.com.au/daib/logon/cu3140/logon.asp
- https://online.nbad.com/iportalweb/iportal/jsps/orbilogin.jsp
- https://online.qantascu.com.au/daib/logon/cu2035/logon.asp
- https://online.rbb.bg/page/default.aspx
- https://online.savingsloans.com.au/DAIB/Logon/CU5023/Logon.asp
- https://online.thinkmoney.co.uk/account/security/logon/logon.aspx
- https://online.unicreditcorporate.it/ibx/web/menu/menutop/index.jsp
- https://online.unicreditcorporate.it/nb/it/home_i.faces
- https://online.unicreditcorporate.it/nb/it/welcome.jsp
- https://online.washingtonfederal.com/login_business.aspengine/login/businessLogins.asp?
- https://online.wellsfargo.com/das/
- https://online.wellsfargo.com/das/cgi-bin/session.cgi
- https://online.ybs.co.uk/public/authentication/login1.do
- https://onlinebanking.nationwide.co.uk/AccessManagement/Login
- https://onlinebanking.psd-bank.de/entry
- https://onlinebanking.wachovia.com/myAccounts.aspx
- https://onlinebusiness.lloydsbank.co.uk/business/logon/login.jsp
- https://onlinebusinessplus.vancity.com/business/default.jsp\x1dservlet/Logon?;
- https://particuliers.securelcl.fr/outil/UAUT
- https://particuliers.societegenerale.fr
- https://paschiinazienda.mps.it/PaschiHome/LOGIN2.0/RTLOGIN/ASPX/RTLoginCB01.aspx
- https://payments.corporate.lloydsbank.com/lloydsbank_corporate_poli_webui/lloydsbank.aspx?target=PaymentHome
- https://pc-easynet.policecredit.com.au/easyaccess/Login.asp
- https://pc-easynet.policecredit.com.au/easyaccess/Welcome.asp
- https://permonline.newcastlepermanent.com.au/IB/NPBSBusiness
- https://permonline.newcastlepermanent.com.au/IB/NPBSPersonal
- https://personal.co-operativebank.co.uk
- https://personal.co-operativebank.co.uk/CBIBSWeb/
- https://personal.macquarie.com.au/transact
- https://personal/a/account_overview_personal
- https://personal/a/eiaauthentication/phoneauthenticationinprogress
- https://personal/a/eiaauthentication/phoneauthfailure
- https://personal/a/eiaauthentication/phoneauthfailureinvalidcode
- https://personal/a/make_payment
- https://personal/a/makepayment/makepaymentconfirmation
- https://personal/a/makepayment/makepaymentsuccessful
- https://personal/a/set_up_new_payee
- https://pnb.electracard.com/pnb/jsp/
- https://portal.raiffeisen.at/group/club
- https://portal.raiffeisen.at/group/private
- https://portal.raiffeisenControllerVerfuegbarerBetrag.js
- https://portal.raiffeisencore-packed.js
- https://private.bankofsingapore.com/IPBWBWeb/Login/.aspx?
- https://professionalson-line.bankofscotlandbusiness.co.uk/_mem_bin/formslogin.asp
- https://professionnels.societegenerale.fr
- https://ptlweb/WebPortal
- https://qweb.quercia.com//Autorizzazioni/Distinte/isualizza.aspx
- https://qweb.quercia.com//Autorizzazioni/Ricerche/isualizza.aspx
- https://qweb.quercia.com//Home/Introduzione/Visualizza.aspx
- https://qweb.quercia.com//Informazioni/Movimenti/isualizza.aspx
- https://qweb.quercia.com//Informazioni/SaldiBanca/isualizza.aspx
- https://qweb.quercia.com//Informazioni/SaldiConto/isualizza.aspx
- https://qweb.quercia.com//Menu.htm
- https://railnet.railcu.org.au/rail/
- https://rakbankonline.ae/corp/BANKAWAY;?
- https://regiobank.nl/internetbankieren/homepage/secure/homepage/homepage.html
- https://regiobank.nl/internetbankieren/secure/login.html
- https://regiobank.nl/internetbankieren/secure/login.htmlaction_prepareStepTwo=Inloggen
- https://regiobank.nl/internetbankieren/secure/logout/logoutConfirm.html
- https://retail.santander.co.ukScripts/behaviour.js
- https://retail.santander.co.ukssobto
- https://retailcorporate.metrobankonline.co.uk
- https://robraiffeisenit/nibank/
- https://royalbank.com/wps/myportal
- https://s2b.standardchartered.com/ssoapp/login.jspcore.security.login.event
- https://sambabankmc.cardinalcommerce.com/
- https://sambabankvisa.cardinalcommerce.com/
- https://santanderpbmc.cardinalcommerce.com/
- https://santanderpbvisa.cardinalcommerce.com/
- https://savcreditmc.cardinalcommerce.com/
- https://savcreditvisa.cardinalcommerce.com/
- https://scotiaonline.scotiabank.com/online/views
- https://secure-banking.com//PassmarkSignIn.faces
- https://secure-code.mlp.de/acspage/cap?RID=
- https://secure.accu.com.au/secureaccu2/
- https://secure.ampbanking.com/au/Logon
- https://secure.arcot.com/acspage/cap?RID=
- https://secure.axisbank.com/ACSWeb/EnrollWeb/AxisBank/server/AccessControlServer
- https://secure.bankofamerica.com/myaccounts/
- https://secure.barclaycard.co.uk/barclays/tdsecure/pa.jspbarclaycard.visa
- https://secure.brannenbanks.com/BrannenBank/PassmarkSignIn.faces
- https://secure.businesswaybnl.it/newcorporate/online/listamoviment/search
- https://secure.businesswaybnl.it/newcorporate/online/listamovimenti/list
- https://secure.businesswaybnl.it/newcorporate/webcontoc/elencodistinte/.continue
- https://secure.businesswaybnl.it/newcorporate/webcontoc/elencomovimenti/.continue
- https://secure.businesswaybnl.it/newcorporate/webcontoc/elencomovimenti/start
- https://secure.businesswaybnl.it/newcorporate/webcontoc/elencosaldi
- https://secure.businesswaybnl.it/newcorporate/webcontoc/login/login
- https://secure.fundsxpress.com/piles/fxweb.pile/fxsecond_authcustom_login?
- https://secure.handelsbanken.se/bb/glss/servlet/ssco_auth2
- https://secure.ingdirect.ca/INGDirect.html
- https://secure.membersaccounts.com/SELFSERVICE/Login.aspx
- https://secure.mystate.com.au/secure
- https://secure.rabobank.com/Gateway/offlineloginpage.html?
- https://secure1.businesswaybnl.it/newcorporate/online/balance/list
- https://secure1.businesswaybnl.it/newcorporate/online/italiantransfer/list
- https://secure5.arcot.com/acspage/
- https://securebank.cahoot.com/servlet/com.aquariussecurity.bks.security.authentication.servlet.LoginEntryServletBKS
- https://securebusiness.lloydsbank.co.uk/business/a/
- https://securebusinesswaybnl.it/newcorporate/webcontoc/menu/
- https://securecode.abnamro.nl/acspage/cap?RID=
- https://securecode.ing.nl/acspage/cap?RID=
- https://securentrycorp./authentication/zbf/
- https://securentrycorp.metricsanalytics
- https://secureonline.idbibank.com/ACSWeb/EnrollWeb/IDBIBank/auth/SCode.jsp
- https://secureonline.idbibank.com/ACSWeb/EnrollWeb/IDBIBank/auth/VBV.jsp
- https://secureonline.idbibank.com/ACSWeb/EnrollWeb/IDBIBank/server/AccessControlServer
- https://server.cey-ebanking.com/CLKCCM//OOBA/OOBALogin.asp?
- https://server.cey-ebanking.com/CLKCCM//passmark/.asp?
- https://sibacs.electrapay.com/SouthIndianBank/jsp/
- https://signin.ebay.com/ws/eBayISAPI.dll?SignIn
- https://singapore.lbbw-business.com/LBBWCorpWeb/login/.action?
- https://singlepoint.usbank.com/cs70_banking/logon/sbuser
- https://smallbusinessonline.bbt.com/auth/kba_cs_reg_conf.tb
- https://smallbusinessonline.bbt.com/auth/pwd.tb
- https://smallbusinessonline.bbt.com/bbtobs/bbtolbext/suppress/statements
- https://smallbusinessonline.bbt.com/bbtobs/bbtolbweb/main/oview/home
- https://sme.standardchartered.com/commonapp/core.security.vascochallenge.event
- https://snsbank.nl/mijnsns/bankieren/secure/betalen/overschrijvenbinnenland.html
- https://snsbank.nl/mijnsns/bankieren/secure/verzendlijst/verzendlijst.html
- https://snsbank.nl/mijnsns/homepage/secure/homepage/homepage.html
- https://snsbank.nl/mijnsns/secure/login.html
- https://snsbank.nl/mijnsns/secure/login.htmlaction_prepareStepTwo=Inloggen
- https://snsbank.nl/mijnsns/secure/logout/logoutConfirm.html
- https://sparda.wlp-acs.com/flowGlobal.wflow
- https://sparkasse.it/hb/authentication/login-PIN_UTENTE
- https://sparkasse.ithome.seam
- https://ssl2.haspa.de/OnlineFiliale/banking/authenticate/login
- https://ssl2.haspa.de/OnlineFiliale/banking/services
- https://sslsecure.maybank.com.sg/cgi-bin/mbs/scripts/mbb_login.jsp?
- https://sso.unionbank.com/obc/forms/password.fccunp/SSOLoginServlet
- https://stanbicibtcbankweb.cardinalcommerce.com/transaction/
- https://statestreet.com
- https://tdcanadatrust.com
- https://tdetreasury.tdbank.com/s1gcb/logon/sbuser
- https://thinkmoney.cardinalcommerce.com/
- https://titolari.cartasi.it/portaleTitolari/pt/new3/login_old
- https://titolari.cartasi.it/portaleTitolari/titolari
- https://transtasman.online.anz.com/client/logon.do?
- https://transtasmanadmin.online.anz.com/saam/SAAMLogin/OTPPINH.fcc
- https://treas-mgt.frostbank.com/rdp/cgi-bin/.cgi
- https://trz.tranzact.org/credential.aspxOTP.asp?
- https://tsb.co.uk/personal
- https://tsys.arcot.com/acspage/cap?RID=
- https://ubagroup.cardinalcommerce.com/transaction/
- https://ubi.cbibanking.it/eb/accessologindo
- https://ubi.electracard.com/ubi/jsp/
- https://unigeb.unicreditcorporate.it/ga-gif-war/pages/U3/cashManagementSimpleSearch.x
- https://unigeb.unicreditcorporate.it/ga-gif-war/pages/U3/cashManagementSimpleSearch.xhtml?rvn=1
- https://unigeb.unicreditcorporate.it/ga-gif-war/pages/U3/monitorOnlineDetailedOverview.xhtml
- https://unigeb.unicreditcorporate.it/ga-gif-war/views/products/commons/onlineList.xhtml
- https://unigeb.unicreditcorporate.it/ga-gif-war/views/products/online/checking/availableBalance.xhtml
- https://unigeb.unicreditcorporate.it/ga-gif-war/views/products/online/checking/checkingHistory.xhtml
- https://uniservices.uobgroup.com/ELO/login.jspwpe/ca/login.dowpe/ca/loginForm.jsp;?
- https://us.etrade.com/e/t/accounts/accountsombo
- https://usgateway.rbs.com/wps/portal/cb/applicationsMoneyManagerGps
- https://valido.credem.it/ValidoFrontend/loginShort.xhtml
- https://vip.btcchina.com/bbs/index.php
- https://voscomptesenligne.labanquepostale.fr/voscomptes/canalXHTML/comptesCommun/synthese_assurancesEtComptes/afficheSynthese
- https://voscomptesenligne.labanquepostale.fr/wsost/OstBrokerWeb/loginform
- https://vpn.sjp.co.uk/vpn/vpnloginpage.html
- https://vpn.tarumanagara.com/+CSCOE+/logon.html
- https://w.businessbanking.cibc.com/logon.jsp?;
- https://web.ib.mizuhobank.co.jp//ScrCheck.js
- https://web.ib.mizuhobank.co.jp/servlet/mib?xtr=Emf
- https://webbanker.cua.com.au/webbanker/
- https://webbanker.cua.com.au/webbanker/CUA?xid=
- https://webbanker.cua.com.auwebbanker/
- https://webcbiplus.bpergroup.net/webcontoc
- https://webcbiplus.bpergroup.net/webcontoc/ccsaldi
- https://webcbiplus.bpergroup.net/webcontoc/elencodistint
- https://webcbiplus.bpergroup.net/webcontoc/esitobonificistipendi
- https://webcbiplus.bpergroup.net/webcontoc/html//ITA/homePage
- https://webcbiplus.bpergroup.net/webcontoc/menumaster
- https://webcbiplus.bpergroup.net/webcontoc/movimenticcbanc
- https://webcbiplus.bpergroup.net/webcontoc/MovimentiPeriodoOnline
- https://webcbiplus.bpergroup.net/webcontoc/saldihomepage
- https://webcbiplus.bpergroup.net/webcontoc/summaryhomepag
- https://webcbiplus.bpergroup.net/webcontoc/top
- https://webcmpr.bancopopular.com/K1/
- https://wired.businessmanager.com/signon/signon.do?
- https://wirexchange.goxroads.com/wx/login\x1cwp_login_user.cfm?
- https://ws.kasikornbank.com/baliweb//site/defaultskin//html/static/logon.htm
- https://WsAccountsList
- https://www.3dsecure.icicibank.com/ACSWeb/EnrollWeb/ICICIBank/server/AccessControlServer
- https://www.53.com/servlet/efsonline/index.html
- https://www.53.com/site
- https://www.abbeyinternational.com/Login.aspx?
- https://www.accountcentralonline.com/cmuser/myacct/
- https://www.alahliecorp.com/AlahlieCorp//web/CorporateSignOn.aspx?
- https://www.alahlionline.com/AOLRetail//web/RetailSignOnAr/web/RetailSignOnUser/LoginDoubleAuthentication.aspx?
- https://www.alexlinkbank.com/eBanking//web/L/corporate/aspx/user/CorporateSignOn.aspx
- https://www.alinmaonline.com/cb/servlet/cb/jsp-ns/login.jsp?
- https://www.alinmaonline.com/efs/servlet/efs/jsp-ns/login.jsp?
- https://www.almubasher.com.sa/NewECorporate/p/login/.do?
- https://www.almubasher.com.sa/retail/LogonRetail.jsp?
- https://www.amazon.co.uk/gp/css/homepage.html
- https://www.anz.com/inetbank/login.asp?
- https://www.anzdirect.co.nz/online/.do?
- https://www.arabi-online.net/efs/servlet/efs/jsp-ns/login.jsp?
- https://www.asbolb.com/servlet/ASB.ASBServlet
- https://www.bancagenerali.it/
- https://www.bancagenerali.it/fec/cc/bonifico/sepa/ins/bonifico-sepa-ins-step1.html
- https://www.bancagenerali.it/fec/cc/bonifico/sepa/ins/bonifico-sepa-ins-step2.html?
- https://www.bancanuova.it/bn-web/home/atTime.html
- https://www.bancsabadell.com/cs/Satellite/SabAtl/Particulares/
- https://www.bankalbilad.com/retail/logon.do
- https://www.bankline.natwest.com/
- https://www.bankline.natwest.com/CWSLogon/
- https://www.bankline.rbs.com/
- https://www.bankline.rbs.com/CWSLogon/
- https://www.bankline.ulsterbank.coie/
- https://www.bankline.ulsterbank.ieco.uk/CWSLogon/
- https://www.bankofamerica.com
- https://www.barclaycardus.com/app/ccsite/action/switchAccount
- https://www.barclays.net/serviceannouncement/message/login
- https://www.barclayswealth.com/login/action/logon/unauthenticated/personal
- https://www.barclayswealth.com/public//multi/all/crossSegmentContactUs.htm
- https://www.bb-fire.com/SignOn/
- https://www.bbvanetcash.com/local_tlsb/KDPOSolicitarCredenciales_.html
- https://www.bbvanetcash.com/local_tlsb/TLBHEntradaUsuario_logon_CAS.html
- https://www.bendigobank.com.au//ReduceLimitSetup
- https://www.bendigobank.com.au/banking/BBLIBanking
- https://www.bendigobank.com.au/banking/pkmslogin.form
- https://www.billmelater.com/your-account/home.xhtml
- https://www.bizchannel.cimb.com.sg/corp/common/login.do?
- https://www.bmo.com/ctpauth/CTPEAILogin/CustUserPasswordAuthServlet?
- https://www.boi-bol.com/
- https://www.boi-bol.com/do/leftMenuaccSingleAccount\x1caccTransApplyPayWIApplyFilterActionRptPayHisReportListRptTransReportPrint
- https://www.boi-bol.com/newHome.jsp
- https://www.bpinetempresas.pt/SIGNON/signon.asp
- https://www.bpmbanking.it/imprpri/wbOnetoone//do/banking/Stat
- https://www.bpmbanking.it/imprpri/wbOnetoone//do/banking/WsBonificoSepaInput.do
- https://www.bpmbanking.it/wscmn/INLINEANET/iln/js/ajaxAccess.js
- https://www.bpmbanking.it/wscmn/js/movimenti.js
- https://www.bpmbanking.it/wscmn/js/responsive/generic.js
- https://www.business.hsbc.co.uk/1//
- https://www.business.hsbc.co.uk/1/2/
- https://www.bxs.com/
- https://www.capitaloneonline.co.uk/CapitalOne_Consumer/Login.do
- https://www.careerbuilder.com/hare/ogin.aspx
- https://www.cartabcc.it/
- https://www.cashanalyzer.com/caloadbalance.aspxcgi-bin/.dll/?
- https://www.caterallenonline.co.uk/WebAccess.dll
- https://www.cbdibusiness.ae/cb/servlet/cb/login.jsp?
- https://www.cencorpcu.com/secure/secure_logon.asp?
- https://www.chase.com
- https://www.chase.com/apps/chase/clientlibs/foundation/publishoptimized/homepage-po-min.js
- https://www.chebanca.it/wps/portal/Istituzionale/login
- https://www.cibconline.cibc.com/olbtxn/accounts/MyAccounts.cibc
- https://www.cibconline.cibc.com/olbtxn/user/ChangePVQ2.cibc
- https://www.cibconline.cibc.com/olbtxn/user/GetPVQAction.cibc
- https://www.cibconline.cibc.com/olbtxn/user/VerifyPVQAction.cibc
- https://www.cic.fr/fr/
- https://www.citibank.co.in/acspage/cap_nsapi.so?RID=
- https://www.citibank.com.au/AUGCB/JSO/signon/DisplayUsernameSignon.do
- https://www.citibusiness.citibank.com.sg/SGCBZ/JSO/signon/DisplayCinSignon.do?
- https://www.comerica.com/
- https://www.commercial.hsbc.com.hk/1/2/
- https://www.commerzbanking.de/P-Portal/XML/IFILPortal/pgf.html
- https://www.contactus.cnb.com/html/tnet-ad.html
- https://www.corporateatarabi.com/s1gcb/logon/sbuser
- https://www.cortalconsors.de/euroWebDe/
- https://www.cpsinternetbanking.com.au/daib/logon/cu5022/logon.asp
- https://www.credem.it/OneToOne/ebank/functions/home/home_sec/home_cliente_.jsp
- https://www.credit-suisse.com.sg/amserver/UI/Login?
- https://www.creditmutuel.fr/groupe/fr/index.html
- https://www.creval.it/index.asp
- https://www.csebanking.it/fec/
- https://www.csebanking.it/ibportal/home-LISTA_MOVIMENTI.do
- https://www.csebanking.it/ibportal/Logon.html
- https://www.csebo.it/webcontoc/login
- https://www.dab-bank.de/meinedabbank/UEbersicht/finanzuebersicht.app.html
- https://www.discovercard.com/cardmembersvcs/achome/
- https://www.discovercard.com/cardmembersvcs/personalprofile/pp/GetInitialInfo
- https://www.dskdirect.bg/page/default.aspx
- https://www.e-closingsecured.com:/scripts/spiis.dll/its-itec/itec_login
- https://www.e-moneyger.com/wps/myportal/!ut/p//
- https://www.ebanking.cimbthai.com/cash/logon.jsp
- https://www.ebanking.pcu.com.au/ebank/Login.asp
- https://www.efirstbank.com/centralAuth/jsp/main/Logon.faces?
- https://www.eg.secure.barclays.com/bir/feature/loginprocess
- https://www.empresas.santandertotta.pt/canalempresas/finance/login.jsp
- https://www.ezcardinfo.com/AcctSummary.aspx
- https://www.farbanca.it/fb-web/home/atTime.html
- https://www.fbo.fubonbank.com.hk/fboPortal/index_e.jsp?
- https://www.fcsolb.com/cb/pages/jsp-ns/
- https://www.ffinonline.com/ffbweatherfordonline1/authentication/Login.aspxAccounts/AccountOverview.aspx
- https://www.fiabusinesscard.com/cgi-bin/ias//GotoWelcome
- https://www.fideuramonline.it/script/LogonServlet
- https://www.firstdirect.com/1/2/
- https://www.firstmeritib.com
- https://www.fnb.co.za/
- https://www.fnbstl.com/business/cts_security_precheck.jsp
- https://www.fundsdirect.co.uk/bks/login.aspx?bksid=beaumont
- https://www.gbw.itRndRapportiSrv
- https://www.gbw/cbl/exec/Info?
- https://www.gbw/cbl/logi
- https://www.gbw/exec/BonificoSrv
- https://www.gbw/exec/Distinte
- https://www.gbw/exec/homePage?noAddToNavi=1&myAction=leftMenu
- https://www.gbw/exec/RndMovimentiSr
- https://www.gbw/exec/RndRapportiSrv
- https://www.gbw/exec/RndSaldiSrv
- https://www.gbw/javascripts/gestoreEventiTastiera.js
- https://www.gbwstyle/main.css
- https://www.global-ebanking.com/login/login.faces
- https://www.gotomycard.com/accounts.asp
- https://www.greater.com.au/WebBankV2/Greater
- https://www.gruppocarige.it/vbank/
- https://www.gruppocarige.it/vbank/jsp/welcomefamily.jsp
- https://www.gruppocarige.it/vbankIT/jsp/welcomefamily.jsp
- https://www.gruppocarige.it/vbankSA/jsp/welcomefamily.jsp
- https://www.halifax-online.co.uk/personal/logon/login.jsp
- https://www.harrisbank.com/HOB/retail/logon/psohobdecidelogon
- https://www.hsbc.ca/1/2/
- https://www.hsbc.co.uk/1/2/
- https://www.hsbc.com.au/1/2/
- https://www.hsbc.com.cn/1/2/
- https://www.hsbc.com.eg/1/2/
- https://www.hsbc.com.mx/1/2/
- https://www.hsbc.com.sg/1/2/
- https://www.hsbc.com.vn/1/2/
- https://www.hsbc.fr/1/2/hsbc-france/entreprises-institutionnels/connexion
- https://www.hsbccreditcard.com/ecare/control/generic.js
- https://www.hsbccreditcard.com/ecare/customerservice/updatepersonalinfo?&locale=en_US&brand=HB_090_750
- https://www.hsbccreditcard.com/ecare/viewaccount
- https://www.huntington.com/scripts/onlinebanking.js
- https://www.hvbrsce.com/ebanking/London/EXE/WBankDsp.exe
- https://www.ib.boq.com.au/boqws/boqbl
- https://www.ib.kiwibank.co.nz/
- https://www.ib.kiwibank.co.nz/keepsafe/challenge/
- https://www.ibsnetaccess.com/NASApp/NetAccess/RegisteredAccountsDisplay
- https://www.ibsnetaccess.com/NASApp/NetAccess/updateQandA.action?target=updtQA
- https://www.idbaccess.blilk.com/core/Authentication/
- https://www.inbank.it/function/login/index.jsp
- https://www.inbiz.intesasanpaolo.com/scriptFvca0/PortalWAR/login/login.do
- https://www.inbiz.intesasanpaolo.com/scriptFvca0/PortalWAR/portal_login/portalFvca0/sma/
- https://www.inbiz.intesasanpaolo.comlogin
- https://www.ingdirect.com.au/client/login.aspx?
- https://www.integrator.barclays.com/idc/html/LoginStep1.html
- https://www.isideonline.it/relaxbanking/
- https://www.iwbank.it/
- https://www.jefferson-bank.com/business/j_security_check?
- https://www.jp-bank.japanpost.jp/direct/pc/security/dr_pc_sc_start.html
- https://www.maybank2e.net/M2E/mbbcustomer/
- https://www.mercantilcbonline.com/secure/banking/logonindividualLogon
- https://www.moneybookers.com/app/login.pl
- https://www.moneybookers.com/app/my_account.pl
- https://www.moneypak.comCardReloadInfo.aspx
- https://www.my.comm111bank.com.au/netbank/Logon/Logonaspx
- https://www.my.commbank.com.au/netbank/Logon/Logonaspx
- https://www.my.commbiz.commbank.com.au/?
- https://www.myaccountaccess.com/onlineCard/
- https://www.myaccountaccess.com/onlineCard/postLogin.do?phase=start
- https://www.mybusinessbank.co.uk/cs70_banking/logon/slogon
- https://www.mycardsecure.com/acspage/cap.dll?RID=
- https://www.mycardstatement.com/AcctSummary.aspx
- https://www.mye-bankonline.com.eg/ceb/login1.seam
- https://www.necu.com.au/mvpnewengland/Login.asp
- https://www.nordstromcard.com/fdr_nr.service?TRANTYPE
- https://www.nwolb.com/.aspx
- https://www.nwolb.com/Brands/RSA_js/fp_AA.js
- https://www.nwolb.com/logindefault.aspx
- https://www.onlineaccess.ca/NASApp/NetAccess/
- https://www.onlinebanking.iombank.com/logindefault.aspx
- https://www.onlinesbiglobal.com//BANKAWAY?;
- https://www.optionsxpress.com/login.asp
- https://www.otpbanka.hr/english/welcome.htm
- https://www.partnercardservices.com/ecare/control/generic.js
- https://www.partnercardservices.com/ecare/customerservice/updatepersonalinfo?&locale=en_US&brand=RZ_500_501
- https://www.partnercardservices.com/ecare/viewaccount?
- https://www.paypal.com/
- https://www.paypal.com//cgi-bin/webscr?
- https://www.paypal.com//cgi-bin/webscr?cmd=_login-done
- https://www.paypal.com//cgi-bin/webscr?cmd=_profile-credit-card-new-clickthru
- https://www.paypal.com/cgi-bin/webscr?
- https://www.paypal.com/home
- https://www.paypal.com/ukus/cgi-bin/webscr
- https://www.paypal.com/us/cgi-bin/webscr?cmd=_login-done
- https://www.paypal.com/us/cgi-bin/webscr?cmd=_profile-credit-card-new-clickthru
- https://www.pcunet1.com.au/mvppolice/Login.asp
- https://www.pcunet2.com.au/mvppolice/Login.asp
- https://www.permatae-business.com/corp/common/login.do?action=login
- https://www.pnc.com//pnccorp/PNC/Home/Corporate
- https://www.pnccardservicesonline.com/pages/AccountSummary.aspx
- https://www.popolarevicenza.it/bpvi-web/home/atTime.html
- https://www.professionalpartners.cortalconsors.de
- https://www.rbc.com/NU00/pki/authenticate/AuthenticateUserRoamingEPF.jsp
- https://www.rbsdigital.com/.aspx
- https://www.rbsdigital.com/Brands/RSA_js/fp_AA.js
- https://www.rbsdigital.com/logindefault.aspx
- https://www.scotiaconnect.scotiabank.com/sco-tp/pki/AuthenticateUserInputRoamingEPF.jsp?
- https://www.scotiaonline.scotiabank.com/online/views/accounts/summary/summaryStandard.bns
- https://www.sebkort.com/skm/acspage/cap?RID=
- https://www.secure.hsbcnet.com/uims/portal/IDV_OTP_CHALLENGE;
- https://www.securenetbanking.ca/IBClient/loginCorpIBRetail/loginbusiness.aspx?
- https://www.securepay.hsbc.co.in/SecurePay/servlet/Authenticate
- https://www.securesuite.co.uk/nationwide/tdsecure/pa.jspnationwide_visa
- https://www.securesuite.co.uk/rbs/tdsecure/pa.jspdebit_nw_visa
- https://www.securesuite.co.uk/rbs/tdsecure/pa.jspdebit_rbs_visa
- https://www.securesuite.co.uk/santander/tdsecure/pa.jspsantander.visa
- https://www.selfpointonline.it/
- https://www.sella.it/Autenticazione/
- https://www.snsbank.nl/mijnsns/bankieren/secure/betalen/buitenlandbetalen.html
- https://www.snsbank.nl/mijnsns/bankieren/secure/betalen/overschrijvenbinnenland.html
- https://www.snsbank.nl/mijnsns/bankieren/secure/betalen/overschrijvenBuitenland.html
- https://www.snsbank.nl/mijnsns/bankieren/secure/transacties/transactieoverzicht.html
- https://www.snsbank.nl/mijnsns/homepage/secure/homepage/homepage.html
- https://www.snsbank.nl/mijnsns/secure/login.html
- https://www.statementlook.com/fdr_ge.service?TRANTYPE
- https://www.sterlingwires.com/
- https://www.suntrust.com/PersonalBanking
- https://www.suntrust.com/portal/server.pt?
- https://www.suntrust.com/portal/server.pt?mode=2
- https://www.teacherscreditunion.com.au/internetbanking/Login.asp
- https://www.tescobank.com/sss/auth
- https://www.ucoebanking.com/BankAwayRetail//web/L001/retail/jsp/user/CorporateSignOn.aspx?
- https://www.ulsterbankanytimebanking.co.uk/logindefault.aspx
- https://www.unb.com/uninet/main_login.asp
- https://www.unity-online.co.uk
- https://www.us.hsbc.com/1/2/
- https://www.usaa.com/inet/ent_logon/Logon
- https://www.usbank.com/internetBanking/RequestRouter
- https://www.vancity.com/MyBusiness/OnlineBanking/?
- https://www.vancity.com/OnlineBanking/
- https://www.vietcombank.com.vn/ibanking/Default.aspx
- https://www.vietinbank.vn/ipay/vbh/login.do
- https://www.websteronline.com/personal/personal-homepage.html
- https://www.widebayaust.com.au/webbank/
- https://www.widebayaust.com.au/webbank/WBA
- https://www.winglungbank.com/corpbanking/logon/CbHomLogonInp.jsp?
- https://www1.membersequitybank.com.au/
- https://www1.membersequitybank.com.au/ME?xid=
- https://www1.royalbank.com
- https://www2.csebo.it/webcontoc/ccsaldi
- https://www2.csebo.it/webcontoc/insertpagitl?tipo_pagamento=bonifico
- https://www2.csebo.it/webcontoc/insertpagnr
- https://www3.lifecard.co.jp/WebDesk/www/.html
- https://wwwcm.netteller.com/logincm2008/Authentication/Views/.aspx?
- https://wwwroyalbank.com/cgi-bin/rbaccess
- https://youwebcard.bancopopolare.it/WEBHT/login
Other Details
This spyware connects to the following URL(s) to check for an Internet connection:
- http://www.google.com
- http://www.bing.com
It deletes the initially executed copy of itself
NOTES:
This spyware monitors the browser activities of the affected system, specifically the address bar.
It sends out DNS queries to a randomized domain name with the following extensions:
- .info
- .com
- .biz
- .org
- .net
- .ru
SOLUTION
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Step 2
Scan your computer with your Trend Micro product and note files detected as TSPY_ZBOT.ABTE
Step 3
Restart in Safe Mode
Step 4
Delete this registry key
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_CURRENT_USER\Software\Microsoft
- WAB
- WAB
- In HKEY_CURRENT_USER\Software\Microsoft
- {random}
- {random}
Step 5
Delete this registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Run
- {random} = "%Application Data%\{random folder name}\{random file name}.exe"
- {random} = "%Application Data%\{random folder name}\{random file name}.exe"
- In HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
- %Windows%\explorer.exe = "%Windows%\explorer.exe:*:Enabled:Windows Explorer"
- %Windows%\explorer.exe = "%Windows%\explorer.exe:*:Enabled:Windows Explorer"
- In HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
- {port1}:UDP = "{port1}:UDP:*:Enabled:UDP {port1}"
- {port1}:UDP = "{port1}:UDP:*:Enabled:UDP {port1}"
- In HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
- {port2}:TCP = "{port2}:TCP:*:Enabled:TCP {port2}"
- {port2}:TCP = "{port2}:TCP:*:Enabled:TCP {port2}"
Step 6
Search and delete this folder
- %Application Data%\Microsoft\Address Book
- %Application Data%\{random folder name}
Step 7
Search and delete these files
- %Application Data%\{random file name2}.{random}
Step 8
Restart in normal mode and scan your computer with your Trend Micro product for files detected as TSPY_ZBOT.ABTE. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Step 9
Scan your computer with your Trend Micro product to delete files detected as TSPY_ZBOT.ABTE. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
NOTES:
The created registry key HKEY_CURRENT_USER\Software\Microsoft\{random} cannot be identified by the users since there are no reference values in the created key. The only way it can be identified is by comparing the present keys with a backup if the users have one. Note that the key {random} need not to be deleted since it won't cause the user's system any harm.
Did this description help? Tell us how we did.