Home / malware PWS:Win32/Zbot.M
First posted on 24 April 2009.
Source: SecurityHomeAliases :
PWS:Win32/Zbot.M is also known as Also Known As:PWS-Zbot.gen.e (McAfee), Trojan-Spy.Win32.Zbot.rxp (Kaspersky), Infostealer (Symantec), Trojan.Spy.ZBot.SB (BitDefender), Troj/Agent-JNR (Sophos).
Explanation :
PWS:Win32/Zbot.M is a password-stealing trojan that contains limited backdoor functionality. It is capable of stealing login credentials for particular sites, cached passwords, and information contained in certificates and cookies. It is often distributed as an attachment to spam e-mail messages.
Symptoms
System ChangesThe following system changes may indicate the presence of this malware:The presence of the following file: <system folder>sdra64.exeThe presence of the following registry modifications:
Value: "userinit"
With data: "<system folder>userinit.exe,<system folder>sdra64.exe,"
In subkey: HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon
PWS:Win32/Zbot.M is a password-stealing trojan that contains limited backdoor functionality. It is capable of stealing login credentials for particular sites, cached passwords, and information contained in certificates and cookies. It is often distributed as an attachment to spam e-mail messages.
Installation
PWS:Win32/Zbot.M may arrive in the system via a spammed e-mail as an attachment with a filename such as 'UPS_NR1.zip' (containing 'UPS_NR1.exe') or 'UPS_NNR01.zip' as in the following example:
From: <spoofed>
To: <recipient email address>
Subject: Postal Tracking #7GX6V206588M3KY
Attachment: UPS_NR1.zip (contains UPS_NR1.exe and is detected as PWS:Win32/Zbot.M)
Message Body:
Hello!
We were not able to deliver postal package you sent on the 14th of March in time because the recipient’s address is not correct.. Please print out the invoice copy attached and collect the package at our office.
Your United Parcel Service of America
Note, the attachment ‘UPS_NR1.zip’ is a ZIP archive containing an executable named ‘UPS_NR1.exe'. The executable uses the Compiled HTML Help file icon. The use of this icon is an attempt to entice users into opening the file by double-clicking it. Upon execution of the executable within the archive, the trojan drops a copy of itself as the following: <system folder>sdra64.exe The registry is modified to execute the dropped copy at each Windows start.
Adds value: "userinit"
With data: "<system folder>userinit.exe,<system folder>sdra64.exe,"
To subkey: HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon
When ‘sdra64.exe ' executes, it injects code and creates a remote thread in the running process 'WINLOGON.EXE'. The code injected into 'WINLOGON.EXE' then injects other code into the following processes:svchost.exe smss.exe services.exe lsass.exe explorer.exe vmsrvc.exe mscorsvw.exe
Payload
Steals Sensitive DataPWS:Win32/Zbot.M attempts to steal the following sensitive information from the system:certificates cached passwords cookies It also creates the following encrypted log file under a hidden directory: <system folder>lowsecuser.ds It may also attempt to steal the following sensitive information from the affected system:certificates cached passwords cookies Backdoor FunctionalityPWS:Win32/Zbot.M may download a configuration file from the Internet website 'finksayq.ru' at TCP port 80 for additional instructions from a remote attacker.Additional InformationPWS:Win32/Zbot.M may make additional registry changes including the following: Adds value: "UID"
With data: "<machine specific>"
To subkey: HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionNetwork
Analysis by Wei LiLast update 24 April 2009