Home / malware Trojan.Spy.ZBot.VG
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for Trojan.Spy.ZBot.VG.
Explanation :
This version of ZBot is another encrypted version of Trojan.Spy.Zbot.UI.
It spreads itself through spam e-mail having the subject "Who killed Michael Jackson?". The e-mail contains a link to the following address hxxp://mjackson.[removed]j.com/x-files which will try to lure the user into downloading and executing the malware.
When executed it will decrypt and inject its code into winlogon.exe and into svchost.exe therefore being able to create files or access the internet without the knowledge of the user. It will then create a copy of itself into %WINDIR%system32sdra64.exe and add some garbage at the end of it in order to have a different md5 hash thus trying to avoid av detection. It will also create the following encrypted and hidden files:
%WINDIR%system32sdra64.exe
%WINDIR%system32lowseclocal.ds
%WINDIR%system32lowsecuser.ds
%WINDIR%system32lowsecuser.ds.lll
In order to be executed at every system startup it modifies the following registry key:
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit="%WINDIR%system32userinit.exe,
adding the path to sdra64.exe after the userinit path.
Then it will download the following file on user's computer:
http://lab[removed].com/lbrc/lbr.bin - which contains some encrypted data.
To mark its presence in the system the following mutexes will be created:
__SYSTEM__64AD0625__, _AVIRA_2109, _AVIRA_2108, _AVIRA_210999, _H_64AD0625_Last update 21 November 2011
