TSPY_ZBOT.AZL

This spyware has received attention from independent media sources and/or other security firms.

To get a one-glance comprehensive view of the behavior of this Spyware, refer to the Threat Diagram shown below.

This spyware may be dropped by other malware.

As of this writing, the said sites are inaccessible.

It attempts to steal sensitive online banking information, such as user names and passwords. This routine risks the exposure of the user's account information, which may then lead to the unauthorized use of the stolen data.

Arrival Details

This spyware may be dropped by other malware.

Installation

This spyware drops the following copies of itself into the affected system:

• %System Root%\Documents and Settings\All Users\Application Data\Microsoft\Windows\Network\MSPDB30.DLL

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It drops the following files:

• %System Root%\Documents and Settings\All Users\Application Data\Microsoft\Windows\Network\mspdb80.dll

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It creates the following folders:

• %System Root%\Documents and Settings\All Users\Application Data\Microsoft\Windows\Network

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It is injected into the following processes running in memory:

• EXPLORER.EXE
• FIREFOX.EXE
• IEXPLORE.EXE
• MSIMN.EXE
• OUTLOOK.EXE
• SVCHOST.EXE

Autostart Technique

This spyware modifies the following registry entry(ies) to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Windows
AppInit_DLLs = %System Root%\Documents and Settings\All Users\Application Data\Microsoft\Windows\Network\mspdb30.dll

(Note: The default value data of the said registry entry is  .)

Other System Modifications

This spyware adds the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
DirectDraw\Parameters.A
(Default) =  

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
DirectDraw\Parameters.B
(Default) =  

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Windows
LoadAppInit_DLLs = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Windows
RequireSignedAppInit_DLLs = 0

Download Routine

As of this writing, the said sites are inaccessible.

Information Theft

This spyware attempts to steal sensitive online banking information, such as user names and passwords. This routine risks the exposure of the user's account information, which may then lead to the unauthorized use of the stolen data.

Stolen Information

This spyware saves the stolen information in the following file:

• %System Root%\Documents and Settings\All Users\Application Data\Microsoft\Windows\Network\mspdb80.dll

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It sends the gathered information via HTTP POST to the following URL:

• https://{BLOCKED}gatti2012.ru/forum/Q47A1.php

Other Details

Based on analysis of the codes, it has the following capabilities:

• Browse and upload files from the affected system
• Download files, save them as temp files in %User Temp% folder then execute these files
• Drop a batch file named NTLDR.BAT. This .BAT file contains a command to delete files found in the Windows folder and in the root folder, which is usually C:\ (may include system files which in turn may cause the system unbootable)
• Log running processes and save it to the dropped file MSPDB80.DLL
• Steal and delete Cookies
• Steal FTP and POP credentials

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)