Home / malware PWS:Win32/Zbot.EX
First posted on 12 June 2009.
Source: SecurityHomeAliases :
PWS:Win32/Zbot.EX is also known as Also Known As:W32/Smalltroj.OHHO (Norman).
Explanation :
PWS:Win32/Zbot.EX is a trojan password stealer that can may bypass installed firewall applications to send captured passwords to an attacker.
Symptoms
System ChangesThe following system changes may indicate the presence of this malware:The presence of the following files:
c:Windowssystem32sdra64.exeThe presence of the following registry modifications:
Value: "userinit"
With data: "<system folder>userinit.exe, c:Windowssystem32sdra64.exe"
In subkey: HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon
PWS:Win32/Zbot.EX is a trojan password stealer that can may bypass installed firewall applications to send captured passwords to an attacker.
Installation
When run, this trojan creates a mutex named "_AVIRA_21099" to ensure only one instance is executing at a time. It copies itself as 'c:Windowssystem32sdra64.exe' with file attributes of 'hidden', 'system' and 'archive' and modifies the registry to run the trojan copy at each Windows start. Adds value: "userinit"With data: "<system folder>userinit.exe, c:Windowssystem32sdra64.exe"To subkey: HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon
Payload
Bypasses Firewall ApplicationsWhen executed, this trojan searches for the following applications associated with firewall and user Internet protection: outpost.exe - Outpost Personal Firewallzlclient.exe - ZoneLabs Firewall Client The trojan creates a pipe "\.pipe\_AVIRA_2109" to bypass the above firewall applications and allow an attacker remote access. Collects User Logon CredentialsThis trojan will inject malicious code and create a remote thread in the Windows process 'WINLOGON.EXE'. The remote thread attempts to hook the following specific API calls to steal specific and sensitive user-entered information: HttpSendRequestAHttpSendRequestWHttpSendRequestExAHttpSendRequestExWInternetReadFileInternetReadFileExAInternetReadFileExWsendsendtoWASSendWASSendto The trojan may delete Internet cookies from the Internet Explorer URL cache so that users are required to re-insert passwords when logging into Websites requesting the credentials. Captured logon credentials are sent to an attacker. Additional InformationDuring installation, the trojan may have the same time and date stamp as an existing Windows system file 'ntdll.dll'.
Analysis by Tim LiuLast update 12 June 2009