Home / malwarePDF  

PWS:Win32/Zbot


First posted on 01 October 2011.
Source: SecurityHome

Aliases :

PWS:Win32/Zbot is also known as W32/Zbot.OAJ (Norman), Trojan.Fraudload.Gen!Pac.5 (VirusBuster), Pakes.ELY (AVG), Trojan.CryptRedol.Gen.5 (BitDefender), Trojan.PWS.Panda.218 (Dr.Web), Win32/Spy.Zbot.WM (ESET), Trojan.Win32.Bredolab (Ikarus), Generic PWS.y!brn (McAfee), Trj/Downloader.MDW (Panda), Mal/BredoPk-B (Sophos), Trojan.Win32.Bredolab.Gen.2 (Sunbelt Software), Trojan.Zbot (Symantec), TROJ_SCAR.HE (Trend Micro), Zeus banking trojan (other).

Explanation :

Information about incorrect detection of Google Chrome as PWS:Win32Zbot On September 30th, 2011, an incorrect detection for PWS:Win32/Zbot was identified and as a result, Google Chrome was inadvertently blocked and in some cases removed. Within a few hours, Microsoft released an update that addresses the issue. Signature versions 1.113.672.0 and higher include this update. Affected customers should manually update Microsoft Security Essentials with the latest signatures. After updating the definitions, reinstall Google Chrome. We apologize for the inconvenience this may have caused our customers.

To get the latest definitions, simply launch Microsoft Security Essentials, go to the update tab and click the Update button. The definitions can be updated manually by visiting the following Microsoft Knowledge Base article:

  • http://support.microsoft.com/kb/971606
PWS:Win32/Zbot is a password-stealing trojan that monitors for visits to certain websites. It allows limited backdoor access and control and may terminate certain security-related processes.
Top

PWS:Win32/Zbot is a password-stealing trojan that monitors for visits to certain websites. It allows limited backdoor access and control and may terminate certain security-related processes. InstallationWhen executed, PWS:Win32/Zbot drops a copy of itself as any of the following files:
  • <system folder>\ntos.exe
  • <system folder>\sdra64.exe
  • <system folder>\twex.exe
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. It also drops the following files, containing encrypted data used by the trojan, under the folder "<system folder>\wsnpoem\":
  • audio.dll
  • video.dll
It also creates the following encrypted log file, in which it presumably writes all stolen data: <system folder>\twain_32\user.ds

PWS:Win32/Zbot modifies the registry to ensure that its copy is executed at each Windows start: Adds value: "userinit"
With data: "<system folder>\userinit.exe,<systemfolder>\<malware file>"
To subkey: HKLM\Software\Microsoft\Windows NT\Currentversion\Winlogon where <malware file> is any of the file names mentioned above.
It also injects its code in the following processes:
  • explorer.exe
  • lsass.exe
  • svchost.exe
  • winlogon.exe
PWS:Win32/Zbot also hides its processes and registry entry to avoid detection. Payload Steals sensitive data PWS:Win32/Zbot steals login credentials whenever a user goes to certain Web sites, such as the following:
  • https://onlineeast#.bankofamerica.com/cgi-bin/ias/*/GotoWelcome
  • https://www.e-gold.com/sci_asp/payments.asp
It also monitors if the computer opens the "WebMoney Keeper Classic" program. It may also attempt to steal the following sensitive information from the computer:
  • Certificates
  • Cached passwords
  • Cookies
Allows backdoor access and control PWS:Win32/Zbot may download a configuration file from the Internet, which is capable of doing the following: Rename the bot
Get certificates
Block URLs
Unblock URLs
Delete files
Download files Terminates security processes PWS:Win32/Zbot checks for the following security-related processes and terminates them if found:

outpost.exe (executable for Outpost Firewall)
zlclient.exe (executable for Zone Alarm Firewall)

Analysis by Francis Allan Tan Seng

Last update 01 October 2011

 

TOP