Home / malware Trojan.Spy.ZBot.EHE
First posted on 21 November 2011.
Source: BitDefenderAliases :
Trojan.Spy.ZBot.EHE is also known as Trojan-Spy.Win32.Zbot.gen;, Trojan.Zbot!gen2;, PWS-Zbot.gen.v;, PWS:Win32/Zbot.gen!R.
Explanation :
This is another version of ZBot which is spammed via e-mail containing an attachment or a link to the malware.
When executed it will decrypt and inject its code into winlogon.exe and into svchost.exe therefore being able to create files or access the internet without the knowledge of the user. It will then create a copy of itself into %WINDIR%system32sdra64.exe. It will also create the following encrypted and hidden files:
%WINDIR%system32sdra64.exe
%WINDIR%system32lowseclocal.ds
%WINDIR%system32lowsecuser.ds
%WINDIR%system32lowsecuser.ds.lll
In order to be executed at every system startup it modifies the following registry entry:
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit="%WINDIR%system32userinit.exe,
adding the path to sdra64.exe after the userinit path.
Then it will download the following file on user's computer:
http://lab[removed].27.42//ip2.gif - which contains some encrypted data.
The presence of the malware in the system is marked by the following mutexes:
__SYSTEM__64AD0625__, _AVIRA_2109, _AVIRA_2108, _AVIRA_210999, _H_64AD0625_Last update 21 November 2011
