Home / malware PWS:Win32/Zbot.gen!Y
First posted on 13 August 2010.
Source: SecurityHomeAliases :
PWS:Win32/Zbot.gen!Y is also known as TR/PSW.Zbot.130560.Y (Avira), Gen:Variant.Zbot.13 (BitDefender), Win32/Spy.Zbot.YW (ESET), Trojan-Spy.Win32.Zbot (Ikarus), Packed.Win32.Krap.hm (Kaspersky), Troj/Zbot-UW (Sophos), TrojanSpy.Zbot.AGZW (VirusBuster).
Explanation :
PWS:Win32/Zbot.gen!Y is a generic detection for a password stealer and remote access trojan. The trojan is installed by other malware and recent variants were observed bundled with an exploit detected as Exploit:Win32/CplLnk.B.
Top
PWS:Win32/Zbot.gen!Y is a generic detection for a password stealer and remote access trojan. The trojan is installed by other malware and recent variants were observed bundled with an exploit detected as Exploit:Win32/CplLnk.B. InstallationWhen run, PWS:Win32/Zbot.gen!Y drops a modified copy of itself as a randomly named file: %APPDATA%\<random letters>\<random letters>.exe For example: c:\Documents and Settings\Administrator\Application Data\dopyq\ruro.exe The registry is modified to run the dropped malware at Windows start. Sets value: "{GUID of Windows volume}"With data: "%APPDATA%\<random letters>\<random letters>.exe"To subkey: HKCU\Software\Microsoft\Windows\Currentversion\Run The malware injects codes into the address space of the following processes to mask its presence: taskhost.exe taskeng.exe wscntfy.exe ctfmon.exe rdpclip.exe explorer.exe Additionally, PWS:Win32/Zbot.gen!Y hooks the following Windows system APIs to aid in the capture of sensitive data: GetFileAttributesExW HttpSendRequestW HttpSendRequestA HttpSendRequestExW HttpSendRequestExA InternetCloseHandle InternetReadFile InternetReadFileExA InternetQueryDataAvailable HttpQueryInfoA closesocket send WSASend TranslateMessage GetClipboardData PFXImportCertStore PWS:Win32/Zbot.gen!Y hooks the following additional APIs to support FireFox: PR_OpenTCPSocket PR_Close PR_Read PR_Write Payload Steal sensitive dataPWS:Win32/Zbot.gen!Y hooks APIs used by Internet Explorer and Mozilla Firefox to steal login credentials when a user visits certain websites. A configuration file may be downloaded from a remote server (for example, "dairanet.cn") and captured data will be sent to a predefined FTP or e-mail server. The trojan collects FTP credentials (IP, port, username, and passwords) from the following FTP software: FlashFXP Total Commander ws_ftp FileZilla FAR/FAR2 winscp FTP Commander CoreFTP SmartFTP PWS:Win32/Zbot.gen!Y steals the following sensitive information from the affected computer: certificates IE cookies cache passwords The trojan also logs keystrokes and gets a snapshot of the infected system. Lowers web browser securityPWS:Win32/Zbot.gen!Y lowers Internet Explorer web browser security settings by modifying registry data. Disables phishing filtering:
Sets value: €œEnabled€
With data: "0"
Sets value: "EnabledV8€
With data: "0"
In subkey: HKCU\Software\Microsoft\Internet Explorer\PhishingFilter
Disables clearing Internet Explorer browser cookies:
Sets value: "CleanCookies"
With data: "0"
In subkey: HKCU\Software\Microsoft\Internet Explorer\Privacy
Disables Internet Explorer Internet zone security settings
Set value: "1609"
With data: "0"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
Sets value: "1406"
With data: "0"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Sets value: "1609"
With data: "0"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
Sets value: "1406"
With data: "0"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Sets value: "1406"
With data: "0"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Allows remote access and controlPWS:Win32/Zbot.gen!Y allows varying degrees of remote access and control, depending on certain configuration data. The trojan could perform, and is not limited to, any of the following actions: reboot/shut down affected computer uninstall/update Zbot enable/disable HTTP injection get current path search/remove files log off execute a program steal Internet Explorer browser cookies steal certificates block/unblock URLs set Internet Explorer home page steal FTP credentials (details above) steal credentials stored by Macromedia Flash Player by parsing "flashplayer.cab" with SOL (Flash Local Shared Object File) files located at €œ%APPDATA%\Macromedia\Flash Player€. Additional InformationPWS:Win32/Zbot.gen!Y appends the following headers when invoking the hooked APIs "HttpSendRequestA", "HttpSendRequestExW" and "HttpSendRequestExA": Accept-Encoding: identity TE: If-Modified-Since:
Analysis by Rodel FinonesLast update 13 August 2010