Analysis by: Mark Joseph Manahan
ALIASES:

PWS:Win32/Zbot.gen!AJ (Microsoft), PWS-Zbot.gen.ary (McAfee)

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003, Windows 7

 OVERALL RISK RATING:
 REPORTED INFECTION:
 SYSTEM IMPACT RATING:
 INFORMATION EXPOSURE:

  • Threat Type: Spyware

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size: 57,344 bytes
File Type: EXE
Memory Resident: Yes
Initial Samples Received Date: 03 Dec 2012

Arrival Details

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This spyware drops the following copies of itself into the affected system:

  • %User Profile%\Application Data\{random1}\{random}.exe
  • %Application Data%\{random1}\{random}.exe (Windows 7 only)

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

It creates the following folders:

  • %User Profile%\Application Data\{random1}
  • %User Profile%\Application Data\{random2}
  • %User Profile%\Application Data\{random3}
  • %Application Data%\{random1} (Windows 7 only)
  • %Application Data%\{random2} (Windows 7 only)
  • %Application Data%\{random3} (Windows 7 only)

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

Autostart Technique

This spyware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random} = ""%User Profile%\Application Data\{random1}\{random}.exe""

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random} = "%Application Data%\{random1}\{random}.exe" (Windows 7 only)

Other System Modifications

This spyware adds the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\
{random}

Dropping Routine

This spyware drops the following files:

  • %User Profile%\Application Data\{random2}\{random}.{random}
  • %User Profile%\Application Data\{random3}\{random}.{random}
  • %Application Data%\{random2}\{random}.{random} (Windows 7 only)
  • %Application Data%\{random3}\{random}.{random} (Windows 7 only)

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

Other Details

This spyware connects to the following possibly malicious URL:

  • http://{BLOCKED}ilericinguvenlik.com/wp-content/themes/mystique/file.php|file=x.exe
  • http://{BLOCKED}albirikim.com/wp-content/themes/koydernek/wpg.php
  • http://{BLOCKED}8.kz/{BLOCKED}ges/file.php|file=x.bin
  • http://{BLOCKED}memories.kz/images/file.php|file=x.bin
  • http://www.{BLOCKED}orter.com.ua/images/file.php|file=x.bin