SecurityHome.eu Trojan.Tzeebot

Home / malware PDF

Trojan.Tzeebot

First posted on 05 December 2014.
Source: Symantec
Aliases :
There are no other names known for Trojan.Tzeebot.
Explanation :
The Trojan may arrive through websites that claim to offer legitimate software.

When the Trojan is executed, it creates the following files: %UserProfile%\Application Data\Microsoft FxCop\1.tmd %UserProfile%\Application Data\Microsoft FxCop\3.tmd %UserProfile%\Application Data\Microsoft FxCop\4.tmd %UserProfile%\Application Data\Microsoft FxCop\MainModule.dll %UserProfile%\Application Data\Microsoft FxCop\c4febf31-f8bd-g26b.tmp %UserProfile%\Application Data\Microsoft FxCop\netscp.exe %UserProfile%\Application Data\Microsoft\Google Component Update.lnk %UserProfile%\Application Data\Microsoft\Internet Explorer\LocalCash\ %UserProfile%\Application Data\Microsoft\Internet Explorer\LocalCash\14510223462812k.tmp%UserProfile%\Application Data\Microsoft\Internet Explorer\Patches\ %UserProfile%\Application Data\Microsoft\Internet Explorer\SQP4H9Z2_A.tmp %UserProfile%\Application Data\Microsoft\Internet Explorer\Temp\ %UserProfile%\Application Data\setup1.exe %UserProfile%\Local Settings\Temp\5ce0.rra%UserProfile%\Local Settings\Temp\_is2\0x0409.ini %UserProfile%\Local Settings\Temp\_is2\Easy Resume Creator Pro.msi %UserProfile%\Local Settings\Temp\_is2\ISScript8.Msi %UserProfile%\Local Settings\Temp\_is2\Setup.INI %UserProfile%\Local Settings\Temp\_is2\Setup.skin %UserProfile%\Local Settings\Temp\_is2\_ISMSIDEL.INI %UserProfile%\Local Settings\Temp\isde5d0f.rra %UserProfile%\Local Settings\Temp\{01DCAD46-FF60-478B-88FB-8A17B1129F53}\ %UserProfile%\Local Settings\Temp\{01DCAD46-FF60-478B-88FB-8A17B1129F53}\Ask.exe %UserProfile%\Local Settings\Temp\{01DCAD46-FF60-478B-88FB-8A17B1129F53}\IGdi.dll %UserProfile%\Local Settings\Temp\{01DCAD46-FF60-478B-88FB-8A17B1129F53}\ISRT.DLL %UserProfile%\Local Settings\Temp\{01DCAD46-FF60-478B-88FB-8A17B1129F53}\IsConfig.INI%UserProfile%\Local Settings\Temp\{01DCAD46-FF60-478B-88FB-8A17B1129F53}\String1033.txt %UserProfile%\Local Settings\Temp\{01DCAD46-FF60-478B-88FB-8A17B1129F53}\_ISRES.DLL%UserProfile%\Local Settings\Temp\{01DCAD46-FF60-478B-88FB-8A17B1129F53}\_ISUSER.DLL%UserProfile%\Local Settings\Temp\{01DCAD46-FF60-478B-88FB-8A17B1129F53}\license.txt%UserProfile%\Local Settings\Temp\{01DCAD46-FF60-478B-88FB-8A17B1129F53}\setup.inx %UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\WHI70HUV\wpad[1].cache%ProgramFiles%\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe %ProgramFiles%\Common Files\InstallShield\Driver\8\Intel 32\IDriver2.exe %ProgramFiles%\Common Files\InstallShield\Driver\8\Intel 32\ISRT.dll %ProgramFiles%\Common Files\InstallShield\Driver\8\Intel 32\IScript8.dll %ProgramFiles%\Common Files\InstallShield\Driver\8\Intel 32\IUser8.dll %ProgramFiles%\Common Files\InstallShield\Driver\8\Intel 32\_ISRES1033.dll%ProgramFiles%\Common Files\InstallShield\Driver\8\Intel 32\objps8.dll
The Trojan also creates the following folders: %UserProfile%\Application Data\Microsoft FxCop\%UserProfile%\Local Settings\Temp\_is2\ %ProgramFiles%\Common Files\InstallShield\ %ProgramFiles%\Common Files\InstallShield\Driver\ %ProgramFiles%\Common Files\InstallShield\Driver\8\%ProgramFiles%\Common Files\InstallShield\Driver\8\Intel 32\
Next, the Trojan creates the following registry entries: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\"%ProgramFiles%\Common Files\InstallShield\Driver\8\Intel 32\" = "1"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\"%ProgramFiles%\Common Files\InstallShield\Driver\8\" = "1"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\"%ProgramFiles%\Common Files\InstallShield\Driver\" = "1"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\"%ProgramFiles%\Common Files\InstallShield\" = "1"HKEY_LOCAL_MACHINE\SOFTWARE\InstallShield\Driver\8\Intel32\"Folder" = "%ProgramFiles%\Common Files\InstallShield\Driver\8\Intel 32\"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"ComponentUpdate" = "\"%UserProfile%\Application Data\Microsoft\Google Component Update.lnk\""HKEY_CLASSES_ROOT\Interface\"{02C0495A-3F58-4701-9913-7E855178A5D9}" = "ISetupOpType"HKEY_CLASSES_ROOT\ISInstallDriver.StringTable\"CLSID" = "{B84EDC85-8F87-4D92-A7DF-67AB94F2C528}"HKEY_CLASSES_ROOT\"ISInstallDriver.StringTable" = "InstallShield InstallDriver String Table"HKEY_CLASSES_ROOT\ISInstallDriver.StringTable.8\"CLSID" = "{B84EDC85-8F87-4D92-A7DF-67AB94F2C528}"HKEY_CLASSES_ROOT\"ISInstallDriver.StringTable.8" = "InstallShield InstallDriver String Table"HKEY_CLASSES_ROOT\ISInstallDriver.InstallDriver\"CLSID" = "{8B1670C8-DC4A-4ED4-974B-81737A23826B}"HKEY_CLASSES_ROOT\"ISInstallDriver.InstallDriver" = "InstallShield InstallDriver"HKEY_CLASSES_ROOT\ISInstallDriver.InstallDriver.1\"CLSID" = "{8B1670C8-DC4A-4ED4-974B-81737A23826B}"HKEY_CLASSES_ROOT\"ISInstallDriver.InstallDriver.1" = "InstallShield InstallDriver" HKEY_CLASSES_ROOT\IPW.User\"CLSID" = "{FFD7B771-8ECA-45DE-A944-7B013C6C2DF5}" HKEY_CLASSES_ROOT\"IPW.User" = "InstallShield setup user interafce"HKEY_CLASSES_ROOT\IPW.User.1\"CLSID" = "{FFD7B771-8ECA-45DE-A944-7B013C6C2DF5}"HKEY_CLASSES_ROOT\"IPW.User.1" = "InstallShield setup user interafce"HKEY_CLASSES_ROOT\IPW.ScriptEngine\"CLSID" = "{FC5F5A61-B28C-4E1C-9528-40B4B40A897B}"HKEY_CLASSES_ROOT\"IPW.ScriptEngine" = "InstallShield Script Engine"HKEY_CLASSES_ROOT\IPW.ScriptEngine.1\"CLSID" = "{FC5F5A61-B28C-4E1C-9528-40B4B40A897B}"HKEY_CLASSES_ROOT\"IPW.ScriptEngine.1" = "InstallShield Script Engine"HKEY_CLASSES_ROOT\CLSID\{FFD7B771-8ECA-45DE-A944-7B013C6C2DF5}\"VersionIndependentProgID" = "IPW.User"HKEY_CLASSES_ROOT\CLSID\{FFD7B771-8ECA-45DE-A944-7B013C6C2DF5}\"ProgID" = "IPW.User.1"HKEY_CLASSES_ROOT\CLSID\{FFD7B771-8ECA-45DE-A944-7B013C6C2DF5}\"InprocServer32" = "%ProgramFiles%\Common Files\InstallShield\Driver\8\Intel 32\IUser8.dll"HKEY_CLASSES_ROOT\CLSID\{FFD7B771-8ECA-45DE-A944-7B013C6C2DF5}\InprocServer32\"ThreadingModel" = "Apartment"HKEY_CLASSES_ROOT\CLSID\"{FFD7B771-8ECA-45DE-A944-7B013C6C2DF5}" = "InstallShield setup user interafce"HKEY_CLASSES_ROOT\CLSID\{FC5F5A61-B28C-4E1C-9528-40B4B40A897B}\"VersionIndependentProgID" = "IPW.ScriptEngine"HKEY_CLASSES_ROOT\CLSID\{FC5F5A61-B28C-4E1C-9528-40B4B40A897B}\"ProgID" = "IPW.ScriptEngine.1"HKEY_CLASSES_ROOT\CLSID\{FC5F5A61-B28C-4E1C-9528-40B4B40A897B}\"InprocServer32" = "%ProgramFiles%\Common Files\InstallShield\Driver\8\Intel 32\IScript8.dll"HKEY_CLASSES_ROOT\CLSID\{FC5F5A61-B28C-4E1C-9528-40B4B40A897B}\InprocServer32\"ThreadingModel" = "Apartment"HKEY_CLASSES_ROOT\CLSID\"{FC5F5A61-B28C-4E1C-9528-40B4B40A897B}" = "InstallShield Script Engine"HKEY_CLASSES_ROOT\CLSID\{B84EDC85-8F87-4D92-A7DF-67AB94F2C528}\"VersionIndependentProgID" = "ISInstallDriver.StringTable"HKEY_CLASSES_ROOT\CLSID\{B84EDC85-8F87-4D92-A7DF-67AB94F2C528}\"ProgID" = "ISInstallDriver.StringTable.8"HKEY_CLASSES_ROOT\CLSID\{B84EDC85-8F87-4D92-A7DF-67AB94F2C528}\"LocalServer32" = "%ProgramFiles%\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe"HKEY_CLASSES_ROOT\CLSID\"{B84EDC85-8F87-4D92-A7DF-67AB94F2C528}" = "InstallShield InstallDriver String Table"HKEY_CLASSES_ROOT\CLSID\{A1726C4F-5238-4907-B312-A7D3369E084E}\"InProcServer32" = "%ProgramFiles%\Common Files\InstallShield\Driver\8\Intel 32\objps8.dll"HKEY_CLASSES_ROOT\CLSID\{A1726C4F-5238-4907-B312-A7D3369E084E}\InProcServer32\"ThreadingModel" = "Both"HKEY_CLASSES_ROOT\CLSID\"{A1726C4F-5238-4907-B312-A7D3369E084E}" = "PSFactoryBuffer"HKEY_CLASSES_ROOT\CLSID\{8B1670C8-DC4A-4ED4-974B-81737A23826B}\"VersionIndependentProgID" = "ISInstallDriver.InstallDriver"HKEY_CLASSES_ROOT\CLSID\{8B1670C8-DC4A-4ED4-974B-81737A23826B}\"ProgID" = "ISInstallDriver.InstallDriver.1"HKEY_CLASSES_ROOT\CLSID\{8B1670C8-DC4A-4ED4-974B-81737A23826B}\"LocalServer32" = "%ProgramFiles%\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe"HKEY_CLASSES_ROOT\CLSID\"{8B1670C8-DC4A-4ED4-974B-81737A23826B}" = "InstallShield InstallDriver"HKEY_CLASSES_ROOT\CLSID\{8B1670C8-DC4A-4ED4-974B-81737A23826B}\"AppID" = "{1BB3D82F-9803-4d29-B232-1F2F14E52A2E}"HKEY_CLASSES_ROOT\CLSID\{697DEABA-809C-49FC-ADD1-E9902D88360D}\"VersionIndependentProgID" = "ISInstallDriver.InstallDriver"HKEY_CLASSES_ROOT\CLSID\{697DEABA-809C-49FC-ADD1-E9902D88360D}\"ProgID" = "ISInstallDriver.InstallDriver.1"HKEY_CLASSES_ROOT\CLSID\{697DEABA-809C-49FC-ADD1-E9902D88360D}\"LocalServer32" = "%ProgramFiles%\Common Files\InstallShield\Driver\8\Intel 32\IDriver2.exe"HKEY_CLASSES_ROOT\CLSID\"{697DEABA-809C-49FC-ADD1-E9902D88360D}" = "InstallShield InstallDriver"HKEY_CLASSES_ROOT\CLSID\{697DEABA-809C-49FC-ADD1-E9902D88360D}\"AppID" = "{C2B96968-8E30-4BA4-A8F9-F40D09D1EA7E}"HKEY_CLASSES_ROOT\AppID\"{C2B96968-8E30-4BA4-A8F9-F40D09D1EA7E}" = "InstallShield InstallDriver"HKEY_CLASSES_ROOT\AppID\"{1BB3D82F-9803-4d29-B232-1F2F14E52A2E}" = "InstallShield InstallDriver"HKEY_CLASSES_ROOT\AppID\{1BB3D82F-9803-4d29-B232-1F2F14E52A2E}\"RunAs" = "Interactive User"HKEY_CLASSES_ROOT\AppID\"IDriver2.exe" = ""HKEY_CLASSES_ROOT\AppID\IDriver2.exe\"AppID" = "{C2B96968-8E30-4BA4-A8F9-F40D09D1EA7E}"HKEY_CLASSES_ROOT\AppID\"IDriver.EXE" = ""HKEY_CLASSES_ROOT\AppID\IDriver.EXE\"AppID" = "{1BB3D82F-9803-4d29-B232-1F2F14E52A2E}"HKEY_CLASSES_ROOT\"AppID" = ""
The Trojan may then perform the following actions: Load or unload different modules of the threatOpen a back doorTransfer files through File Transfer Protocol (FTP)Capture screenshotsDetect antivirus softwareGather passwords and clipboard dataLog keystrokes
Last update 05 December 2014

TOP

Malware :

Last 20

Trojan.Tzeebot

Aliases :

Explanation :

Malware :

Family: