Home / malware

PDF

PWS:Win32/Zbot.RI

First posted on 12 March 2010.
Source: SecurityHome

Aliases :

PWS:Win32/Zbot.RI is also known as TROJ_ZBOT.BRJ (Trend Micro), Trojan-Spy.Win32.Zbot.abje (Kaspersky), Trojan.Zbot (Symantec).

Explanation :

PWS:Win32/Zbot.RI is a password stealing trojan. Win32/Zbot also contains backdoor functionality that allows unauthorized access and control of an affected machine.
Top

PWS:Win32/Zbot.RI is a password stealing trojan. Win32/Zbot also contains backdoor functionality that allows unauthorized access and control of an affected machine. InstallationWhen executed, PWS:Win32/Zbot.RI copies itself with a variable file name to the System directory, for example:<system folder>\wsnpoema.exe Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32. It modifies the registry to execute this copy at each Windows start:Sets value: "userinit"
With data: "<system folder>\userinit.exe,<system folder>\<malware filename>,"
To subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon For example:
Sets value: "userinit"
With data: "<system folder>\userinit.exe,<system folder>\wsnpoema.exe"
To subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon Many Zbot variants utilize code injection in order to hinder detection and removal. When PWS:Win32/Zbot.RI executes, it may inject code into the running process 'winlogon.exe', which in turn injects code into other running processes, including the following, for example:

explorer.exe

lsass.exe

services.exe

smss.exe

svchost.exe

winlogon.exe

wmiprvse.exe

wuauclt.exe

Payload Steals sensitive informationThe Zbot family of malware is used to obtain sensitive information from the affected system, such as:

Trusted Web site certificates

Cached Web browser passwords

Cookies

Note: Many Zbot variants specifically target the websites of Bank of America.
Variants of Zbot may also parse e-mail and FTP traffic in order to obtain e-mail addresses and FTP login details. Contacts remote site for instruction/Downloads and executes arbitrary filesAfter installation, PWS:Win32/Zbot.RI attempts to contact the remote site calvinkleinstuffz.com via port 80 in order to download additional instructions (which may be in the form of a configuration file) and/or arbitrary files to execute. Allows remote backdoor access and controlZbot can be instructed to perform a host of actions by a remote attacker, including the following:

Rename itself

Obtain certificates and other stolen information

Block specified URLs

Download and execute arbitrary files

Establish a Socks proxy

Analysis by Matt McCormack

Last update 12 March 2010

 

TOP