Home / malwarePDF  

PWS:Win32/Zbot.SQ


First posted on 30 August 2010.
Source: SecurityHome

Aliases :

PWS:Win32/Zbot.SQ is also known as TrojanSpy.Zbot.AGOZ (VirusBuster), TR/Spy.ZBot.CR.2 (Avira), Trojan.PWS.Panda.387 (Dr.Web), Win32/Spy.Zbot.YW (ESET), Trj/Sinowal.DW (Panda), Troj/Dloadr-DBG (Sophos), Trojan.Zbot (Symantec), TSPY_ZBOT.BWP (Trend Micro).

Explanation :

PWS:Win32/Zbot.SQ is a password stealing trojan. Win32/Zbot also contains backdoor functionality that allows unauthorized access and control of an affected computer.
Top

PWS:Win32/Zbot.SQ is a password stealing trojan. Win32/Zbot also contains backdoor functionality that allows unauthorized access and control of an affected computer. InstallationWhen executed, PWS:Win32/Zbot.SQ copies itself with a variable file name to a subfolder in the Application Data subfolder:

  • %AppData%\<random subfolder>\<malware file name>.exe
    • For example:
  • %AppData%\ybupyg\geysu.exe
    • It also drops and executes a batch file that deletes the originally-running Zbot copy. PWS:Win32/Zbot.SQ creates the following registry entry for its dropped copy so that it automatically runs every time Windows starts: Adds value: "<random id>"With data: "%AppData%\<random subfolder>\<malware file name>.exe"To subkey: HKCU\Software\Microsoft\Windows\Currentversion\Run PWS:Win32/Zbot.SQ creates the following randomly-named subkey that contains encrypted configuration information:
  • HKCU\SOFTWARE\Microsoft\<random subkey>
    • For example:
  • HKCU\SOFTWARE\Microsoft\Muuh
    • Many Zbot variants utilize code injection in order to hinder detection and removal. When PWS:Win32/Zbot.SQ executes, it may inject code into the running process 'explorer.exe'. It also creates various mutexes. Payload Modifies Internet Explorer settingsPWS:Win32/Zbot.SQ modifies the following settings for Internet Explorer:
  • Enable the display of mixed content in the local machine:
    • Adds value: "1609" With data: "0" In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
  • Access data sources across different domains for Intranet zones
    • Adds value: "1406" With data: "0" In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
  • Enable the display of mixed content for Trusted Sites
    • Adds value: "1609" With data: "0" In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
  • Access data sources across different domains for the Internet zone
    • Adds value: "1406" With data: "0" In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
  • Access data sources across different domains for Restricted Sites
    • Adds value: "1406" With data: "0" In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4

    Analysis by Daniel Radu

    Last update 30 August 2010

     

    TOP

    Malware :

    Family: