TSPY_ZBOT.SMKLL

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It is injected into all running processes to remain memory resident.

It does not have any propagation routine.

It modifies the Internet Explorer Zone Settings.

As of this writing, the said sites are inaccessible.

It deletes the initially executed copy of itself.

Arrival Details

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This spyware drops the following copies of itself into the affected system:

• %Application Data%\{random foldername 1}\{random filename 1}.exe

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It drops the following files:

• %Application Data%\{random foldername 2}\{random filename 2}.{random extension}
• %Application Data%\{random foldername 2}\{random filename 2}.tmp
• %Application Data%\{random foldername 3}\{random filename 3}.{random extension}

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It drops and executes the following files:

• %User Temp%\tmp{random}.bat ← use to delete initially executed copy, delete itself afterwards

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It creates the following folders:

• %Application Data%\{random foldername 1}
• %Application Data%\{random foldername 2}
• %Application Data%\{random foldername 3}

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It is injected into all running processes to remain memory resident.

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• Local\{GUID}
• Global\{GUID}

Autostart Technique

This spyware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{Random} = "%Application Data%\{random foldername 1}\{random filename 1}.exe"

Other System Modifications

This spyware adds the following registry keys:

​HKEY_CURRENT_USER\Software\Microsoft\
{random key}

It adds the following registry entries:

​HKEY_CURRENT_USER\Software\Microsoft\
{random key}
{random 1} = "{random hex values}"

​HKEY_CURRENT_USER\Software\Microsoft\
{random key}
{random 2} = "{random hex values}"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Privacy
CleanCookies = "0"

Propagation

This spyware does not have any propagation routine.

Web Browser Home Page and Search Page Modification

This spyware modifies the Internet Explorer Zone Settings.

Download Routine

This spyware connects to the following URL(s) to download its configuration file:

• https://{BLOCKED}lnoejavlenieprimer.net/bmbmbm/file.php
• https://{BLOCKED}rtabilneiedelalinks.net/bmbmbm/file.php
• https://{BLOCKED}ortabilneiedelaaches.net/bmbmbm/file.php

As of this writing, the said sites are inaccessible.

Information Theft

This spyware s configuration file contains the following information:

• URLs where it downloads an updated copy of itself
• URLs where it sends its gathered information
• URLs of its target online banking and finance-related sites from where it steals the information

It gathers the following data:

• Data on cookie files (URLs)
• Email-related information such as account names, email addresses, passwords, server data, and server port
• Email information stored in the user’s Windows Address Book (WAB) file
• Online banking credentials
• Personal digital cerificate

It attempts to steal stored account information used in the following installed File Transfer Protocol (FTP) clients or file manager software:

• FlashFXP
• Ghisler Total Commander
• ipswitch ws_ftp
• Far/Far2
• martin prikryl winscp 2
• ftpware coreftp
• smartftp

Other Details

This spyware deletes the initially executed copy of itself

NOTES:

It does not inject its code in running processes which are related to the following security products:

• Rapport
• SafenSoft SysWatch
• McAfee
• McAfee Security Center
• McAfee SecurityCenter
• Symantec Client
• Symantec Protection
• Symantec Shared
• Symantec Security
• Norton Protection
• Kaspersky Security
• Kaspersky Anti-Virus
• avast! Antivirus
• AntiVir Desktop
• AVG Monitor
• AVG Service
• AVG Security
• ESET Security
• ESET Antivirus
• Microsoft Inspection
• Microsoft Malware
• Microsoft Security