Home / malware PWS:Win32/Zbot.gen!AA
First posted on 15 October 2010.
Source: SecurityHomeAliases :
There are no other names known for PWS:Win32/Zbot.gen!AA.
Explanation :
PWS:Win32/Zbot.gen!AA is a password stealing trojan. Win32/Zbot also contains backdoor functionality that allows unauthorized access and control of an affected machine.
Top
PWS:Win32/Zbot.gen!AA is a password stealing trojan. Win32/Zbot also contains backdoor functionality that allows unauthorized access and control of an affected machine. InstallationWhen run, PWS:Win32/Zbot.gen!AA drops a modified copy of itself as a randomly named file: %APPDATA%\<random letters>\<random letters>.exe The registry is modified to run the dropped malware at Windows start. Adds value: "{GUID of Windows volume}"With data: "%APPDATA%\<random letters>\<random letters>.exe"To subkey: HKCU\Software\Microsoft\Windows\Currentversion\Run Additionally, PWS:Win32/Zbot.gen!AA hooks the following Windows system APIs to aid in the capture of sensitive data: GetFileAttributesExW HttpSendRequestW HttpSendRequestA HttpSendRequestExW HttpSendRequestExA InternetCloseHandle InternetReadFile InternetReadFileExA InternetQueryDataAvailable HttpQueryInfoA closesocket send WSASend TranslateMessage GetClipboardData PFXImportCertStore PWS:Win32/Zbot.gen!AA hooks the following additional APIs to support FireFox: PR_OpenTCPSocket PR_Close PR_Read PR_Write Payload Steal sensitive dataPWS:Win32/Zbot.gen!AA hooks APIs used by Internet Explorer and Mozilla Firefox to steal login credentials when a user visits certain websites. A configuration file may be downloaded from a remote server (i.e. "dairanet.cn") and captured data will be sent to a predefined FTP or e-mail server. The trojan collects FTP credentials (IP, port, username, and passwords) from the following FTP software: FlashFXP Total Commander ws_ftp FileZilla FAR/FAR2 winscp FTP Commander CoreFTP SmartFTP PWS:Win32/Zbot.gen!AA steals the following sensitive information from the affected computer: certificates IE cookies cache passwords The trojan also logs keystrokes and gets a snapshot of the infected system. Lowers web browser securityPWS:Win32/Zbot.gen!AA lowers Internet Explorer web browser security settings by modifying registry data. Disables phishing filtering:
Adds value: €œEnabled€
With data: "0"
Adds value: "EnabledV8€
With data: "0"
To subkey: HKCU\Software\Microsoft\Internet Explorer\PhishingFilter
Disables clearing Internet Explorer browser cookies:
Adds value: "CleanCookies"
With data: "0"
To subkey: HKCU\Software\Microsoft\Internet Explorer\Privacy
Disables Internet Explorer Internet zone security settings
Adds value: "1609"
With data: "0"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
Adds value: "1406"
With data: "0"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Adds value: "1609"
With data: "0"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
Adds value: "1406"
With data: "0"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Adds value: "1406"
With data: "0"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Allows remote access and controlPWS:Win32/Zbot.gen!AA allows varying degrees of remote access and control, depending on certain configuration data. The trojan could perform, and is not limited to, any of the following actions:
Reboot/shutdown affected computer Uninstall/update Zbot Enable/disable HTTP injection Get current path Search/remove files Logoff Execute a program Steal Internet Explorer browser cookies Steal certificates Block/unblock URLs Set Internet Explorer home page Steal FTP credentials (details above) Steal credentials stored by Macromedia Flash Player by parsing "flashplayer.cab" with SOL (Flash Local Shared Object File) files located at €œ%APPDATA%\Macromedia\Flash Player€ Additional InformationPWS:Win32/Zbot.gen!AA appends the following headers when invoking the hooked APIs "HttpSendRequestA", "HttpSendRequestExW" and "HttpSendRequestExA": Accept-Encoding: identity TE: If-Modified-Since:
Analysis by Matt McCormackLast update 15 October 2010