Home / malwarePDF  

PWS:Win32/Zbot.gen!R


First posted on 31 May 2019.
Source: Microsoft

Aliases :

PWS:Win32/Zbot.gen!R is also known as Win32/Kollah.UE, Troj/Agent-IPS, Trojan-Spy.Win32.Zbot.kbi, Backdoor.Bot.71576, Spy-Agent.bw, Infostealer.

Explanation :

PWS:Win32/Zbot.gen!R is a password-stealing trojan that may arrive in the system as a spammed email purporting to be an airline e-ticket or a network settings change notification. InstallationPWS:Win32/Zbot.gen!R may arrive in the system via a spammed email, for example: ===  From: (note that this address is spoofed)
To:
Subject: E-ticket #4958701247
Attachment: Your_ETicket.zip (note that when unzipped, this file becomes Your_ETicket.exe and is detected as PWS:Win32/Zbot.gen!R)  Body:Hello! Thank you for using our new service "Buy Northwest Airlines ticket Online" on our website.
Your account has been created: Your login: recipient e-mail address
Your password: pass5OB1 Your credit card has been charged for $424.02.
We would like to remind you that whenever you order tickets on our website you get a discount of 10%!
Attached to this message is the purchase Invoice and the Northwest Airlines ticket.
To use your ticket, simply print it on a color printed, and you are set to take off for the journey! Kind regards,
Cheri Mckenna
Northwest Airlines ===  Body:Dear user of the mailing service! We are informing you that because of the security upgrade of the mailing service your mailbox (@) settings were changed. In order to apply the new set of settings click on the following link:  ===  Note that the emails are fake and are not sent out by any airline or mailing service. Upon execution, PWS:Win32/Zbot.gen!R then drops a copy of itself in the system as " wex.exe". It then modifies the system folder so that its dropped copy automatically runs every time a user logs in: Modifies value: "userinit"
With data: "userinit.exe, wex.exe,"
To subkey: HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon Note - refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:WinntSystem32; and for XP and Vista is C:WindowsSystem32. Payload Steals InformationPWS:Win32/Zbot.gen!R attempts to steal the following sensitive information from the system: Certificates Cached passwords Cookies It also creates the following encrypted log file, in which it presumably writes all stolen data: wain_32user.ds It then attempts to connect to the IP address "91.211.65.33" for additional instructions from a remote attacker.  Analysis by Francis Allan Tan Seng

Last update 31 May 2019

 

TOP