Home / malware PWS:Win32/Zbot.J
First posted on 01 May 2009.
Source: SecurityHomeAliases :
PWS:Win32/Zbot.J is also known as Also Known As:Trojan-Spy.Win32.Zbot.gen (Kaspersky), Mal/EncPk-CZ (Sophos), Trojan.Spy.ZBot.RL (BitDefender).
Explanation :
PWS:Win32/Zbot.J is a password stealing trojan that has been observed in the wild targeting Bank of America websites. Win32/Zbot also contains backdoor functionality that allows unauthorized access and control of an affected machine. Win32/Zbot has been observed being distributed in the wild attached to e-mail that spoofs UPS (United Parcel Service of America).
Symptoms
System ChangesThe following system changes may indicate the presence of this malware:The presence of the following registry modifications (or similar): Sets value: "userinit"
With data: "<system folder>userinit.exe,<system folder><malware filename>,"
To subkey: HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon Sets value: "UID"
With data: "avm<machine specific ID>"
To subkey: HKLMSoftwareMicrosoftWindows NTCurrentVersionNetwork Sets value: "ParseAutoexec"
With data: "1"
To subkey: HKCUSoftwareMicrosoftWindows NTCurrentVersionWinlogon Sets value: "Start Page"
With data: ""
To subkey: HKCUsoftwaremicrosoftinternet explorermain
PWS:Win32/Zbot.J is a password stealing trojan that has been observed in the wild targeting Bank of America websites. Win32/Zbot also contains backdoor functionality that allows unauthorized access and control of an affected machine. Win32/Zbot has been observed being distributed in the wild attached to e-mail that spoofs UPS (United Parcel Service of America).
Installation
When executed, PWS:Win32/Zbot.J copies itself with a variable file name to the System directory, for example:<system folder>sdra64.exe It modifies the registry to execute this copy at each Windows start:Sets value: "userinit"
With data: "<system folder>userinit.exe,<system folder><malware filename>,"
To subkey: HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogonFor example:
Sets value: "userinit"
With data: "<system folder>userinit.exe,<system folder>sdra64.exe"
To subkey: HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon Many Zbot variants utilize code injection in order to hinder detection and removal. When PWS:Win32/Zbot.J executes, it may inject code into the running process 'winlogon.exe', which in turn injects code into other running processes.
Payload
Steals Sensitive InformationThe Zbot family of malware is used to obtain sensitive information from the affected system, such as:Trusted Web site certificates Cached Web browser passwords Cookies Many Zbot variants specifically target the websites of Bank of America.
Variants of Zbot may also parse e-mail and FTP traffic in order to obtain e-mail addresses and FTP login details. Backdoor FunctionalityZbot can be instructed to perform a host of actions by a remote attacker, including the following:Renaming itself Obtaining certificates and other stolen information Blocking URLs Downloading and executing arbitrary files Establishing a Socks proxy Contacts Remote Site for Instruction/Downloads and Executes Arbitrary FilesAfter installation, Zbot contacts a remote site to download additional instructions and/or arbitrary files to execute.Additional InformationZbot variants may make the following registry modifications:Sets value: "UID"
With data: "avm<machine specific ID>"
To subkey: HKLMSoftwareMicrosoftWindows NTCurrentVersionNetwork Sets value: "ParseAutoexec"
With data: "1"
To subkey: HKCUSoftwareMicrosoftWindows NTCurrentVersionWinlogon Sets value: "Start Page"
With data: ""
To subkey: HKCUsoftwaremicrosoftinternet explorermain
Analysis by Matt McCormackLast update 01 May 2009
