Home / malware Trojan.Spy.ZBot.EKF
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for Trojan.Spy.ZBot.EKF.
Explanation :
This trojan spreads via infected web-sites, where it can be downloaded and executed directly on a system via an exploit, or the user can be tricked into downloading and running it manually.
When executed, the trojan will first create a mutex named "_AVIRA_2109", in order to avoid multiple instances. It will then make a new copy of itself, inside %system% directory, as sdra64.exe, and it will inject its code inside every running process. While the trojan has code running in any process, its file (sdra64.exe) is locked from any kind of access (read/write). In order to run on every startup, the following registry key is modifed:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserInit=%system%userinit.exe
by appending the trojan's path to it.
It will also create the following files:
%system%lowseclocal.ds
%system%lowsecuser.ds
%system%lowsecuser.ds.lll
The trojan also has backdoor capabilities, which enables a remote attacker to connect to the victims computer and enter commands the trojan can interpret. Among the data stolen by this trojan are the digital product id of the curently installed version of Microsoft Windows, the list of ftp servers, user names/passwords (if any) stored by Total Commander, FileZilla, FAR, WinSCP 2, FTP Commander, Smart FTP (if any of these is installed). While the trojan is active, several other mutexes may be created:_H_64AD0625_, __SYSTEM__64AD0625__. It will also delete all the cookies stored by Internet Explorer's URL cache.Last update 21 November 2011
