PLATFORM:

Windows 2000, XP, Server 2003

 OVERALL RISK RATING:
 REPORTED INFECTION:
 SYSTEM IMPACT RATING:
 INFORMATION EXPOSURE:

  • Threat Type: Spyware

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW



It may be dropped by other malware.
It may be unknowingly downloaded by a user while visiting malicious websites.
It adds registry entries to enable its automatic execution at every system startup.
It attempts to steal information, such as user names and passwords, used when logging into certain banking or finance-related websites.
It attempts to steal sensitive online banking information, such as user names and passwords. This routine risks the exposure of the user's account information, which may then lead to the unauthorized use of the stolen data.
It creates folders where it drops its files.
It may be injected into processes running in memory.
It modifies the Internet Explorer Zone Settings.

  TECHNICAL DETAILS




Arrival Details


It may be dropped by other malware.


It may be unknowingly downloaded by a user while visiting malicious websites.



Autostart Technique


It adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
{GUID}={malware path and file name}



Drop Points


Stolen information is uploaded to the following websites:

  • http://{BLOCKED}.215.101/sas/ttf.php



Infection Points


It may be downloaded from the following remote sites:

  • http://{BLOCKED}9.13.206/uk2/kl/uk-kl.exe



Information Theft


It accesses the following site to download its configuration file:

  • http://{BLOCKED}9.13.206/uk2/kl/ukdase.db


The downloaded file contains information where the malware can download an updated copy of itself, and where to send its stolen data.


It attempts to steal information from the following banks and/or other financial institutions:

  • Alliance & Leicester

  • Barclays

  • Cahoot

  • Capital One

  • Citibank

  • Clydesdale

  • Co-Operativebank

  • Ebay

  • Facebook

  • First Direct

  • HSBC

  • Halifax

  • ING Direct

  • Lloyds

  • Microsoft

  • Moneybookers

  • Myspace

  • Nationwide

  • Natwest

  • OSPM

  • Odnoklassniki

  • PayPal

  • RBS

  • Santander

  • Smile

  • Vkontakte

  • Yorkshire


It monitors the Internet Explorer (IE) activities of the affected system, specifically the address bar or title bar. It recreates a legitimate Web site with a spoofed login page if a user visits banking sites with the following strings in the address bar or title bar:

  • !*.microsoft.com/*

  • !http://*myspace.com*

  • https://www.gruposantander.es/*

  • !http://*odnoklassniki.ru/*

  • !http://vkontakte.ru/*

  • @*/login.osmp.ru/*

  • @*/atl.osmp.ru/*

  • *login.yahoo.com*

  • *login.live.com*

  • http://www.facebook.com/index.ph*

  • https://www.hsbc.co.uk/1/2/*

  • https://www.hsbc.co.uk/1/2/personal/internet-banking/transfer*

  • *.hsbc.co.uk/1/2/personal/internet-banking/payments*

  • *.hsbc.co.uk/1/2/!ut/p/kcxml*QS_cmd_NewThirdPartyPaymentCommand*

  • *.hsbc.co.uk/1/2/personal/internet-banking/payment*

  • https://www.hsbc.co.uk/1/2/personal/internet-banking/transfer*

  • *.hsbc.co.uk/1/2/personal/internet-banking/recent-transactio*

  • *.hsbc.co.uk/1/2/personal/internet-banking/recent-transactio*

  • https://www.hsbc.co.uk/1/2/!ut/p/kcxml/*

  • *.hsbc.co.uk/1/2/*

  • *.hsbc.co.uk/1/2/*idv.CustomerMigration

  • https://www.hsbc.co.uk/1/2*

  • *www.hsbc.co.uk/1/2/!ut/p/kcxml*

  • *.hsbc.co.uk/1/2/personal*

  • https://www.hsbc.co.uk/1/2/!ut/p/kcxml/*cmd_InitialThirdPartyPaymentCommand=*

  • https://myonlineaccounts*.abbeynational.co.uk/CentralLogonWeb/MyPersonalHomepage*

  • https://service.oneaccount.com/*/OSV2?event=login&pt=3

  • https://www.365online.com/servlet/Dispatcher/login.htm

  • https://www.365online.com/servlet/Dispatcher/login2.htm

  • https://www.365online.com/servlet/Dispatcher/validate.htm

  • *coventrybuildingsociety.co.uk*

  • https://www.accessmycardonline.com/RBS_Consumer/*

  • https://www.nochex.com/*

  • */CapitalOne_Consumer/*

  • https://www.bankcardservices.co.uk/NASApp/NetAccessXX/*

  • https://my.if.com/_mem_bin/formslogin.asp*

  • https://olb2.nationet.com/MyAccounts/*

  • https://cardsonline-consumer.com/RBSG_Consumer/*

  • https://online-offshore.lloydstsb.com/*

  • https://onlinebanking.firsttrustbank.co.uk/*

  • https://secure.ingdirect.co.uk/InitialINGDirect.html*

  • https://database.acornmediauk.com/*

  • https://uk.virginmoney.com/virgin/service/credit-card/*

  • *npbs.co.uk*

  • https://*ulsterbankanytimebanking.*/login.aspx*

  • https://service.oneaccount.com/onlineV2/*viewPortal*

  • https://secure.natweststockbrokers.co.uk/nws-secure2/*

  • https://www.caterallenonline.co.uk/WebAccess.dll

  • https://myonlineaccounts3.abbeynational.co.uk/GPCC_ENS/BtoChannelDriver.ssobto*

  • https://www.edirectdebit.com/administration/client/logon.aspx

  • *commissioncontrol.net*

  • *tuxedomoney.com*

  • https://www.cardonebanking.com/auth*

  • https://*abbeynational.co.uk*

  • http*://*alliance-leicester.co.uk*

  • http*://*cbonline.co.uk*

  • http*://*co-operativebank.co.uk*

  • http*://*lloydstsb.co.uk*

  • http*://*smile.co.uk*

  • http*://*ybonline.co.uk*

  • https://www.paypal.com/*/cgi-bin/webscr?cmd=_account*

  • https://www.paypal.com/*/webscr?cmd=_login-done*

  • https://www.paypal.com/*/cgi-bin/webscr?cmd=*_account*

  • https://www.paypal.com/*/cgi-bin/webscr?cmd=_login-done*

  • https://www.citibank.co.uk/*/signon/uname/HomePage*

  • https://www.citibank.co.uk/*/portal/Index*

  • */my.ebay.*/*CurrentPage=MyeBayPersonalInfo*

  • */my.ebay.*/*

  • *.ebay.*/*eBayISAPI.dll?*

  • *.ebay.*/*eBayISAPI.dll?*

  • *.ebay.*/*eBayISAPI.dll?*

  • *.ebay.*/*eBayISAPI.dll?*

  • *.ebay.*/*eBayISAPI.dll?*

  • *.ebay.*/*eBayISAPI.dll?*

  • *.ebay.*/*eBayISAPI.dll?*

  • *.ebay.*/*eBayISAPI.dll?*

  • *.ebay.*/*eBayISAPI.dll?*

  • https://www.icicibank.co.uk/UKRET/BANKAWAY*

  • *.partnerandaffinitycards.co.uk/servicing/Logon.aspx?*

  • https://www.bankcardservices.co.uk/NASApp/NetAccessXX/AccountSnapshotScreen?acctID*

  • https://your.egg.com/customer/yourmoney.aspx

  • https://your.egg.com/customer/personaldetails/yourinformation.aspx

  • https://www.capitaloneonline.co.uk/*

  • https://*.banking.first-direct.com/1/2/balances*

  • https://secure.ingdirect.co.uk/INGDirect.html?command=displayClientAccountSummary*

  • https://olb2.nationet.com*

  • https://www.moneybookers.com/app/my_account.pl

  • https://www.365online.com/servlet/Dispatcher/*

  • https://ibank.cahoot.com/*

  • https://service.oneaccount.com/onlineV2/*

  • https://my.if.com/PlanReviewAct/plan.asp*

  • https://my.if.com/*

  • https://www*.banking.first-direct.com/1/2/*

  • https://www*.banking.first-direct.com/1/2/*

  • https://www*.banking.first-direct.com/1/2/*

  • https://*ibank.internationalbanking.barclays.com/*

  • https://ibank.internationalbanking.barclays.com/logon*

  • https://*ulsterbankanytimebanking.co.uk/*

  • https://home.cbonline.co.uk/ralu/loginmgr/partialPassword.ctl*

  • https://home.cbonline.co.uk/ralu/loginmgr/loginSetup.ctl*

  • https://home.ybonline.co.uk/ralu/loginmgr/partialPassword.ctl*

  • https://home.ybonline.co.uk/ralu/loginmgr/loginSetup.ctl*

  • https://welcome27.co-operativebank.co.uk/CBIBSWeb/*

  • https://welcome27.co-operativebank.co.uk/CBIBSWeb/passcode.do

  • https://welcome23.smile.co.uk/SmileWeb/*

  • https://welcome23.smile.co.uk/SmileWeb/passcode.do

  • *mybank.alliance-leicester.co.uk*

  • *mybank.alliance-leicester.co.uk/view_accounts/VA*

  • *mybank.alliance-leicester.co.uk/move_money/*MM*.asp*

  • *mybank.alliance-leicester.co.uk/your_payees/YP1point1a.asp*

  • https://online-business.lloydstsb.co.uk/customer.ibc*

  • https://online-business.lloydstsb.co.uk/logon.ibc

  • https://online-business.lloydstsb.co.uk/miheld.ibc

  • https://www.mybusinessbank.co.uk/cs70_banking/*

  • https://www.mybusinessbank.co.uk/cs70_banking/logon/logon/pmPassword

  • https://www.mybusinessbank.co.uk/cs70_banking/logon*

  • https://www.mybusinessbank.co.uk/cs70_banking/logon/sbuser/getPassword

  • https://www.mybusinessbank.co.uk/cs70_banking/logon/logon/enrollPassword

  • https://www.mybusinessbank.co.uk/cs70_banking/logon/logon/password

  • https://www.mybusinessbank.co.uk/cs70_banking/logon/challenge/submit

  • https://www.barclayswealth.com/login/action/logon/unauthenticated/personal/loginDetailsNotStored

  • https://www.barclayswealth.com/login/action/logon/unauthenticated/personal/loginSigning

  • https://www.bankline.coutts.com/CWSLogon/4P/CheckId.do

  • https://www.bankline.coutts.com/CWSLogon/4P/CheckPPPP.do

  • https://www.bankline.coutts.com/CWSLogon/*

  • https://welcome10.co-operativebankonline.co.uk/*security?*

  • https://ibank.cahoot.*/servlet/com.aquarius.security.authentication.servlet.LogonServlet*

  • https://cardservicing.tescofinance.com/RBSG_Consumer/UserLogin.do*

  • https://cardservicing.tescofinance.com/RBSG_Consumer/VerifyLogin.do*

  • https://online.islamic-bank.com/online/aspscripts/secret*.asp*

  • https://online.ybs.co.uk/public/authentication/login2.do*

  • https://home.ybonline.co.uk/ralu/loginmgr/partialPassword.ctl

  • https://home.ybonline.co.uk/ralu/loginmgr/loginQuestion.ctl

  • https://home.cbonline.co.uk/ralu/loginmgr/partialPassword.ctl

  • https://home.cbonline.co.uk/ralu/loginmgr/loginQuestion.ctl

  • https://www.business.hsbc.co.uk/1/2/online-services/accounts/account-list*

  • https://www.business.hsbc.co.uk/1/2/!ut/p/kcxml/04_Sj9SPykssy*

  • http://www.business.hsbc.co.uk/1/2/bib/personal

  • https://www.business.hsbc.co.uk/1/2/*dv_cmd=idv.Authenticat*

  • https://ibank.barclays.co.uk/*

  • https://ibank.barclays.co.uk/olb/*/Statement*

  • https://ibank.barclays.co.uk/olb/*/PersonalFinancialSummary.do?action=*

  • https://ibank.barclays.co.uk/olb/*/LoginTFA.do

  • https://ibank.barclays.co.uk/olb/*/SelectPaymentAccount.do?action=New+Payment||Pay+Someone

  • https://ibank.barclays.co.uk/olb/*/SelectPaymentAccount.do

  • https://ibank.barclays.co.uk/olb/*/NewPayee.do

  • https://ibank.barclays.co.uk/olb/*/PayBill2.do

  • https://ibank.barclays.co.uk/olb/*/PayBill3.do

  • https://ibank.barclays.co.uk/olb/*/PayBill3a.do

  • https://ibank.barclays.co.uk/olb/*/NewPaymentSuccess.do

  • *.banking.firstdirect.com*idv_cmd=idv.Authentication

  • *.banking.firstdirect.com/1/2/!ut/p/kcxml/04_Sj9SPykssy*

  • *.banking.firstdirect.com/1/2/!ut/p/kcxml/*

  • *rbsdigital.com/login.aspx*

  • *rbsdigital.com/AccountSummary.aspx

  • *nwolb.com/login.aspx*

  • *nwolb.com/AccountSummary.aspx

  • https://welcome27.co-operativebank.co.uk/CBIBSWeb/loginSpi.do

  • https://welcome27.co-operativebank.co.uk/CBIBSWeb/loginSpi.do

  • https://welcome27.co-operativebank.co.uk/CBIBSWeb/fundsTransferSummaryPrepare.do*

  • https://welcome27.co-operativebank.co.uk/CBIBSWeb/fundsTransferCreatePrepare.do*

  • https://welcome27.co-operativebank.co.uk/CBIBSWeb/passcode.do

  • https://www.bankline.rbs.com/CWSLogon/logon.do*

  • https://www.bankline.rbs.com/CWSLogon/4P/CheckId.do*

  • https://www.bankofscotlandhalifax-online.co.uk/CustomerAuthentication/*

  • https://*.bankofscotlandhalifax-online.co.uk/*

  • https://www.halifax-online.co.uk/CustomerAuthentication/*

  • https://*.halifax-online.co.uk/*

  • https://secure.lloydstsb.co.uk/personal/*

  • https://online.lloydstsb.co.uk/logon.ibc

  • https://secure.lloydstsb.co.uk/personal/*/logon/*ntermemorableinformation.jsp

  • https://secure.lloydstsb.co.uk/personal/a/account_details/*

  • https://secure.lloydstsb.co.uk/personal/a/viewproductdetails/ViewProductDetails.jsp?pnlTabpane=2&al=

  • https://online-business.lloydstsb.co.uk/standingorder.ibc*

  • https://online-business.lloydstsb.co.uk/actionaccount.ibc*SelectAction=standingorder.ibc


It attempts to steal sensitive online banking information, such as user names and passwords. This routine risks the exposure of the user's account information, which may then lead to the unauthorized use of the stolen data.



Installation


It drops the following files:

  • %Application Data%\{random1}\{random}.exe - copy of itself

  • %Application Data%\{random2}\{random}.{3 random alpha character extension name} - encrypted file



It may be injected into processes running in memory.


It is injected into the following processes running in memory:

  • ctfmon.exe

  • dwm.exe

  • explorer.exe

  • rdpclip.exe

  • taskeng.exe

  • taskhost.exe

  • wscntfy.exe



Other System Modifications


It adds the following registry entries as part of its installation routine:

HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerPrivacy
CleanCookies=0



HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList
%Windows%EXPLORER.EXE=%Windows%EXPLORER.EXE:*:Enabled:Windows Explorer



Variant Information


It has the following MD5 hashes:

  • 680063f9a7b3c8dd8440ec0a6dc316af


It has the following SHA1 hashes:

  • afb58dc7dd6445026a648257616195374a9c44ab



Web Browser Home Page and Search Page Modification


It modifies the Internet Explorer Zone Settings.

  SOLUTION

Minimum Scan Engine: 8.900


Step 1
For Windows ME and XP users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2
Scan your computer with your Trend Micro product and note files detected as TSPY_ZBOT.BYY

Step 3
Restart in Safe Mode
[ Learn More ]


Step 4
Delete this registry value This step allows you to delete the registry value created by the malware/grayware/spyware.

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Privacy
    • CleanCookies = 0
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    • {GUID} = {malware path and file name}
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    • %Windows%\EXPLORER.EXE = %Windows%\EXPLORER.EXE:*:Enabled:Windows Explorer

To delete the registry value this malware/grayware/spyware created:

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>Internet Explorer>Privacy
  3. In the right panel, locate and delete the entry:
    CleanCookies = 0
  4. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>Run
  5. In the right panel, locate and delete the entry:
    {GUID} = {malware path and file name}
  6. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>SharedAccess>Parameters>FirewallPolicy>StandardProfile>AuthorizedApplications>List
  7. In the right panel, locate and delete the entry:
    %Windows%\EXPLORER.EXE = %Windows%\EXPLORER.EXE:*:Enabled:Windows Explorer
  8. Close Registry Editor.

Step 5
Reset Internet security settings This step allows you to remove modifications made by the malware/grayware/spyware in your Internet security settings.

To rest Internet security settings:

  1. Close all Internet broser windows.
  2. Open Control Panel. To do this:
    • On Windows 98, ME, NT, and 2000
    Click Start>Settings>Control Panel
    • On Windows XP and Server 2003
    Click Start>Control Panel
  3. Double-click Internet Options.
  4. In the Internet Properties window, click the Security tab.
  5. For each Web content zone, click on the Default Level button to set each zone to the default setting.
  6. Click OK.

Step 6
Scan your computer with your Trend Micro product to delete files detected as TSPY_ZBOT.BYY If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Did this description help? Tell us how we did.