Home / malwarePDF  

PWS:Win32/Zbot.AEV


First posted on 17 May 2012.
Source: Microsoft

Aliases :

PWS:Win32/Zbot.AEV is also known as Trojan-PWS.Win32.Zbot (Ikarus).

Explanation :



PWS:Win32/Zbot.AEV is a trojan that steals user names and passwords for online accounts, including financial, email, and network credentials. If it infects your computer, your computer may effectively become part of a bot network known as "Zeus". PWS:Win32/Zbot.AEV may also allow backdoor access and control of an infected computer.

It is usually distributed via spam email messages and compromised websites.



Installation

PWS:Win32/Zbot.AEV may be installed by other malware, or it may arrive as an attachment to spammed email messages or downloaded from compromised websites. Some samples have been observed bundled with malware detected as Trojan:Win32/Startpage.

When run, PWS:Win32/Zbot.AEV drops a modified copy of itself as a randomly-named file in a randomly-named folder in the Application Data folder. It also modifies the system registry so that its copy automatically runs at every Windows start.

It injects code into the address space of all running processes, matching the privileges of the currently logged on user. For example, if the current user is logged on as an administrator, PWS:Win32/Zbot.AEV injects its code into all administrator-level processes, such "winlogon.exe", "smss.exe", and so on.

Otherwise, it injects its code into all user-level processes, such as "explorer.exe", "reader_sl.exe", and so on. It does this to hide its presence in the computer.

Spreads via...

Remote Desktop Services (RDS)

PWS:Win32/Zbot.AEV may spread to other computers in the network if the computer is running Remote Desktop Services (RDS). It attempts to drop a copy of itself in the following folders for every connected RDS session:

  • <Drive:>\Documents and Settings\<user name>\
  • <Drive:>\Documents and Settings\Default user\
  • <Drive:>\Users\<user name>\
  • <Drive:>\Users\default\


Payload

Steals sensitive information

PWS:Win32/Zbot.AEV hooks the following Windows system APIs to steal login credentials for online accounts, such as financial, email, and network transactions:

Within "NTDLL.DLL":

  • LdrLoadDll
  • ZwCreateThread


Within "KERNEL32.DLL":

  • GetFileAttributesExW


Within "WININET.DLL":

  • HttpQueryInfoA
  • HttpSendRequestA
  • HttpSendRequestExA
  • HttpSendRequestExW
  • HttpSendRequestW
  • InternetCloseHandle
  • InternetQueryDataAvailable
  • InternetReadFile
  • InternetReadFileExA
  • InternetSetOptionA
  • InternetSetStatusCallbackA
  • InternetSetStatusCallbackW


Within "WS2_32.DLL":

  • closesocket
  • recv
  • send
  • WSARecv
  • WSASend


Within "GDI32.DLL":

  • CallWindowProcA
  • CallWindowProcW
  • DefDlgProcA
  • DefDlgProcW
  • DefFrameProcA
  • DefFrameProcW
  • DefMDIChildProcA
  • DefMDIChildProcW
  • DefWindowProcA
  • DefWindowProcW
  • OpenInputDesktop
  • RegisterClassA
  • RegisterClassExA
  • RegisterClassExW
  • RegisterClassW
  • SwitchDesktop


Within "USER32.DLL":

  • BeginPaint
  • EndPaint
  • GetCapture
  • GetClipboardData
  • GetCursorPos
  • GetDC
  • GetDCEx
  • GetMessageA
  • GetMessagePos
  • GetMessageW
  • GetUpdateRect
  • GetUpdateRgn
  • GetWindowDC
  • PeekMessageA
  • PeekMessageW
  • ReleaseCapture
  • ReleaseDC
  • SetCapture
  • SetCursorPos
  • TranslateMessage


Within "CRYPT32.DLL":

  • PFXImportCertStore


PWS:Win32/Zbot.AEV also hooks the following APIs to be able to steal credentials if Firefox is the used browser:

  • PR_OpenTCPSocket
  • PR_Close
  • PR_Read
  • PR_Write
  • PR_Poll


PWS:Win32/Zbot.AEV also steals the following:

  • Digital certificates
  • Internet Explorer cookies
  • Cached passwords


It may also log keystrokes and take screenshots of the computer. Captured data is sent to a predefined FTP or email server.

Lowers Internet Explorer security

PWS:Win32/Zbot.AEV lowers Internet Explorer browser security settings by modifying the following registry data:

Disables clearing Internet Explorer browser cookies:

In subkey: HKCU\Software\Microsoft\Internet Explorer\Privacy
Sets value: "CleanCookies"
With data: "0"

Disables Internet Explorer Internet zone security settings:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
Set value: "1609"
With data: "0"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Sets value: "1406"
With data: "0"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
Sets value: "1609"
With data: "0"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Sets value: "1406"
With data: "0"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
Sets value: "1406"
With data: "0"

Lowers Firefox web browser security

PWS:Win32/Zbot.AEV may modify firefox settings to do the following:

  • Disable clearing Internet cookies
  • Disable displaying warning messages when viewing mixed secure and unsecure webpages
  • Disable displaying warning messages when submitting data to unsecure pages


Allows remote access and control

Some variants of this malware may perform the following actions:

  • Enable or disable HTTP injection
  • Log off the current user
  • Manipulate available mail server configuration
  • Prevent or allow the browser from accessing certain URLs
  • Restart or shut down the computer
  • Run a program
  • Search for and delete files and folders
  • Set the Internet Explorer home page
  • Steal email credentials
  • Steal or delete certificates
  • Steal FTP server credentials
  • Steal Internet Explorer browser cookies
  • Traverse folders
  • Uninstall or update its version that is installed in the computer




Analysis by Zarestel Ferrer

Last update 17 May 2012

 

TOP

Malware :

Family: