Home / malware

PDF

Trojan.Spy.Zbot.KJ

First posted on 21 November 2011.
Source: BitDefender

Aliases :

Trojan.Spy.Zbot.KJ is also known as Troajn.Spy.Wsnpoem.

Explanation :

The malware has the icon of a *.xls file ( Excel spreadsheet). This technique is used as a social engineering method to trick the user to launch the infection. It doesn't have its own spreading routine but it was spammed out via email containing an attachment with this file.



The malware comes encripted and underneath the protection is a version of the infamous Trojan.Wsnpoem malware caught by BitDefender as Trojan.Spy.Zbot.JM.
He will inject in svchost.exe and winlogon.exe imediately after execution and he can provide backdoor and proxy server capabilities. The service provided through svchost.exe listens at a random TCP port that is opened enabling the atacker to send comand to the remote computer. This may be used as a mean of stealing information, remote control or at spaming.
The trojan deletes cookies in the Internet Explorer URL cache. And resets the Internet Explorer StarPage Trojan.Spy.Zbot.KJ attempts to hide itself using stealth and rootkit techniques. The files mentioned above won’t be visible using normal Windwos Explorer even with all the option and protection of special files turned off.
At execution this malware copies itself in %WINDIR%system32oembios.exe (or C:Documents and settings\%username%Application Data) and he will create a registry key in order to make sure it will be executed after every reboot. For that, the following registry key is changed:





[HKLMsoftwaremicrosoftwindows ntcurrentversionwinlogon]
Old value:
• "userinit"="%SYSDIR%userinit.exe,"
New value:
• "userinit"="%SYSDIR%userinit.exe,%SYSDIR%oembios.exe,"
Another key that is changed is
[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionExplorer]
enabling the process to hide the infected file from Windows Explorer. These registry keys are permanently checked and restored to the infected values by the infected winlogon process.
It also creates the following files: C:Windowssysproc64sysproc32.sys, C:Windowssystem32oembios.bin, C:Windowssystem32oembios.dat that contain encrypted data.
It creates the following mutex as a signature of the infected system:
__SYSTEM__91C38905__
It tryes to download
http://195.2.252.[removed]/n.bin containg enctipted data.
Further investigation showed that the server was registered near Moscow. Other domains hosted by the same class of IP-s (on the same server probbably, also registered near Moscow) links to online drug stores that sell Viagra, Cialis and other medicine like this.

Last update 21 November 2011

 

TOP