TSPY_ZBOT.YUNCR

March 26, 2014
 Analysis by: Alvin John Nieto
 ALIASES:

PWS:Win32/Zbot (Microsoft), Win32/Spy.Zbot.AAU trojan (ESET), Trojan.Zbot (Symantec)

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Spyware

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size:

438,272 bytes

File Type:

EXE

Initial Samples Received Date:

19 Mar 2014

Arrival Details

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This spyware drops the following files:

  • %System%\drivers\{random}.sys
  • %Application Data%\Microsoft\Address Book\{username}.wab

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

Other System Modifications

This spyware adds the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{random}

It adds the following registry entries:

HKEY_CURRENT_USER
{random} = {random}

HKEY_CURRENT_USER\Software\Microsoft\
WAB\WAB4
OlkContactRefresh = "0"

HKEY_CURRENT_USER\Software\Microsoft\
WAB\WAB4
OlkFolderRefresh = "0"

HKEY_CURRENT_USER\Software\Microsoft\
WAB\WAB4\Wab File Name
@ = "%Application Data%\Microsoft\Address Book\{username.wab}"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
@ =

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%Windows%\explorer.exe = "%Windows%\explorer.exe:*:Enabled:Windows Explorer"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\GloballyOpenPorts\
List
3169:UDP = "3169:UDP:*:Enabled:UDP 3169"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\GloballyOpenPorts\
List
1711:TCP = "1711:TCP:*:Enabled:TCP 1711"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_{random}
NextInstance = "1"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_{random}\
0000
Service = "{random}"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_{random}\
0000
Legacy = "1"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_{random}\
0000
ConfigFlags = "0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_{random}\
0000
Class = "LegacyDriver"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_{random}\
0000
ClassGUID = "{GUID}"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_{random}\
0000
DeviceDesc = {malware name}

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_{random}\
0000\Control
*NewlyCreated* = "0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_{random}\
0000\Control
ActiveService = "{random}"

Other Details

This spyware connects to the following URL(s) to check for an Internet connection:

  • http://www.google.com
  • http://www.bing.com

It connects to the following possibly malicious URL:

  • http://{random generated URL}