Home / malware PWS:Win32/Zbot.SI
First posted on 26 April 2010.
Source: SecurityHomeAliases :
PWS:Win32/Zbot.SI is also known as PWS-Zbot.gen.ab (McAfee), TSPY_ZBOT.NCT (Trend Micro), Win32/Spy.Zbot.UN (ESET), Trojan.Zbot (Symantec), Trojan-Spy.Win32.Zbot.ahvy (Kaspersky).
Explanation :
PWS:Win32/Zbot.SI is a password-stealing trojan. Win32/Zbot also contains backdoor functionality that allows unauthorized access and control of an affected computer.
Top
PWS:Win32/Zbot.SI is a password-stealing trojan. Win32/Zbot also contains backdoor functionality that allows unauthorized access and control of an affected computer. InstallationPWS:Win32/Zbot.SI may arrive via a spammed e-mail message having a PDF attachment masquerading as a delivery notice from the "Royal Mail" with a file name similar to "Royal_Mail_Delivery_Invoice_1092817.pdf". The PDF attachment contains an embedded executable Win32/Zbot payload. If the user opens the documents using a version of Adobe Reader that is vulnerable to a certain software flaw and clicks through a series of dialog boxes, the vulnerability could be exploited that allows documents to automatically launch the embedded executable. Upon execution, the trojan drops a copy of itself in the system as:<system folder>\sdra64.exe Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32. It then modifies the registry to execute this file at each Windows start. Modifies value: "userinit"With data: "<system folder>\userinit.exe,<system folder>\sdra64.exe,"In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon When "sdra64.exe" executes, it injects other code into the running process "winlogon.exe", which in turn injects code into other running processes, including the following, for example:explorer.exe lsass.exe services.exe smss.exe spoolsv.exe svchost.exe winlogon.exe wauclt.exe Payload Steals sensitive informationThe Zbot family of malware is used to obtain sensitive information from the affected system, such as:Trusted Web site certificates Cached Web browser passwords Cookies PWS:Win32/Zbot.SI creates the following encrypted log file under a hidden folder, in which it presumably writes all stolen data:<system folder>\lowsec\user.ds Contacts remote site for instruction/Downloads and executes arbitrary files After installation, PWS:Win32/Zbot.SI attempts to contact the remote IP address "59.44.60.152" at TCP port 6010 to download additional instructions (which may be in the form of a configuration file) and/or arbitrary files to execute. Allows remote backdoor access and control Zbot can be instructed to perform a host of actions by a remote attacker for additional instructions including the following:Rename itself Obtain certificates and other stolen information Block specified URLs Download and execute arbitrary files Establish a Socks proxy PWS:Win32/Zbot.SI opens and listens on TCP port 18691 for additional instructions from a remote attacker. Additional Information PWS:Win32/Zbot.SI may make the following additional registry modifications: Sets value: "UID"
With data: "avm<computer-specific ID>"
To subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Network
Analysis by Wei LiLast update 26 April 2010
