Home / malware

PDF

PWS:Win32/Zbot.LL

First posted on 01 July 2019.
Source: Microsoft

Aliases :

PWS:Win32/Zbot.LL is also known as TSPY_BANKRYPT.X, Trojan-Spy.Win32.Zbot.zr, Infostealer.Banker.C.

Explanation :

PWS:Win32/Zbot.LL is a password stealing trojan. Win32/Zbot also contains backdoor functionality that allows unauthorized access and control of an affected machine. InstallationWhen executed, PWS:Win32/Zbot.LL copies itself with a variable file name to the System directory, for example:
tos.exe Note - refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:WinntSystem32; and for XP and Vista is C:WindowsSystem32.  It modifies the registry to execute this copy at each Windows start:Sets value: "userinit"
With data: "userinit.exe,,"
To subkey: HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon For example:
Sets value: "userinit"
With data: "userinit.exe,
tos.exe"
To subkey: HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon Many Zbot variants utilize code injection in order to hinder detection and removal. When PWS:Win32/Zbot.LL executes, it may inject code into the running process 'winlogon.exe', which in turn injects code into other running processes, including the following, for example: explorer.exelsass.exeservices.exesmss.exesvchost.exewinlogon.exePWS:Win32/Zbot.LL may also create the following additional files on an affected machine: wsnpoemaudio.dll wsnpoemvideo.dll.cla Payload Steals sensitive informationThe Zbot family of malware is used to obtain sensitive information from the affected system, such as: Trusted Web site certificates Cached Web browser passwords  Cookies Note: Many Zbot variants specifically target the websites of Bank of America.
Variants of Zbot may also parse e-mail and FTP traffic in order to obtain e-mail addresses and FTP login details.  Contacts remote site for instruction/Downloads and executes arbitrary filesAfter installation, PWS:Win32/Zbot.LL attempts to contact the remote site community.infinitie.net via port 80 in order to download additional instructions (which may be in the form of a configuration file) and/or arbitrary files to execute.  Allows remote backdoor access and controlZbot can be instructed to perform a host of actions by a remote attacker, including the following: Rename itself Obtain certificates and other stolen information Block specified URLs Download and execute arbitrary files Establish a Socks proxy Modifies system security settingsPWS:Win32/Zbot.LL may modify the following registry entry in order to attempt to disable the firewall:Sets value: "EnableFirewall"With data: "0"To subkey: HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfile Additional InformationPWS:Win32/Zbot.LL may make the following additional registry modifications:Sets value: "UID"
With data: "avm"
To subkey: HKLMSoftwareMicrosoftWindows NTCurrentVersionNetwork  Analysis by Matt McCormack

Last update 01 July 2019

 

TOP