Home / malware Trojan.Zbot.C
First posted on 14 October 2015.
Source: SymantecAliases :
There are no other names known for Trojan.Zbot.C.
Explanation :
When the Trojan is executed, it creates the following folders:
%UserProfile%\Application Data\tor%UserProfile%\Application Data\tor\lock%UserProfile%\Application Data\tor\state%UserProfile%\Application Data\[RANDOM FOLDER NAME ONE]%UserProfile%\Application Data\[RANDOM FOLDER NAME TWO]
The Trojan also creates the following files:
%UserProfile%\Application Data\[RANDOM FOLDER NAME ONE]\[RANDOM FILE NAME TWO].[RANDOM THREE CHARACTER FILE EXTENSION]%UserProfile%\Application Data\[RANDOM FOLDER NAME ONE]\[RANDOM FILE NAME TWO].tmp%UserProfile%\Application Data\[RANDOM FOLDER NAME TWO]\[RANDOM FILE NAME ONE].exe%UserProfile%\Local Settings\Application Data\Identities\{91FD83EF-B9F6-410E-97DC-5C667AC85868}\Microsoft\Outlook Express\Sent Items.dbx
The Trojan then creates the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Wupaby\"Ilpyvi" = "[HEXADECIMAL VALUE]"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"{8691AC89-341E-AFD0-36CE-AE6C3F798526}" = "%UserProfile%\Application Data\[RANDOM FILE NAME TWO]\[RANDOM FILE NAME THREE].exe" HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4\"FirstRun" = "1"HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Privacy\"CleanCookies" = "0"HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\"ConnectionSettingsMigrated" = "1"
Next, the Trojan modifies the following files:
%UserProfile%\Local Settings\Application Data\Identities\{91FD83EF-B9F6-410E-97DC-5C667AC85868}\Microsoft\Outlook Express\Folders.dbx %UserProfile%\Local Settings\Application Data\Identities\{91FD83EF-B9F6-410E-97DC-5C667AC85868}\Microsoft\Outlook Express\Inbox.dbx %UserProfile%\Local Settings\Application Data\Identities\{91FD83EF-B9F6-410E-97DC-5C667AC85868}\Microsoft\Outlook Express\Offline.dbx
The Trojan then modifies the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\UnreadMail\[USER NAME]@[NETWORK DOMAIN]\"TimeStamp" = "[HEXADECIMAL VALUE]"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\"1609" = "0"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\"1406" = "0"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\"1609" = "0"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\"1406" = "0"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\"1609" = "0"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\"1609" = "0"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\"1406" = "0"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\"1609" = "0"HKEY_CURRENT_USER\Identities\{91FD83EF-B9F6-410E-97DC-5C667AC85868}\Software\Microsoft\Outlook Express\5.0\"Compact Check Count" = "2"
The Trojan then opens a back door on the compromised computer, allowing an attacker to perform the following actions:
Use Tor to anonymize network activity Create a remote framebuffer (RFB) protocol for Virtual Network Computing (VNC) connections back to the attacker Create a Socket Secure (SOCKS) proxy Log keystrokes Capture screenshots
Next, the Trojan downloads configuration data from the following remote location:
kdsk3afdiolpgejs.onion/sphinx/config.bin
The Trojan then steals information from the following FTP clients and sends it to a remote location:
FAR Core FTP FTP Commander Total Commander Smart FTP WS_FTP
The Trojan also steals the following information and sends it to a remote location:
Browser history Browser cookies Windows Mail accounts Email contacts Windows certificatesLast update 14 October 2015