Home / malwarePDF  

PWS:Win32/Zbot.M


First posted on 24 April 2009.
Source: SecurityHome

Aliases :

PWS:Win32/Zbot.M is also known as Also Known As:PWS-Zbot.gen.e (McAfee), Trojan-Spy.Win32.Zbot.rxp (Kaspersky), Infostealer (Symantec), Trojan.Spy.ZBot.SB (BitDefender), Troj/Agent-JNR (Sophos).

Explanation :

PWS:Win32/Zbot.M is a password-stealing trojan that contains limited backdoor functionality. It is capable of stealing login credentials for particular sites, cached passwords, and information contained in certificates and cookies. It is often distributed as an attachment to spam e-mail messages.

Symptoms
System ChangesThe following system changes may indicate the presence of this malware:

  • The presence of the following file:
    • <system folder>sdra64.exe
  • The presence of the following registry modifications:
    Value: "userinit"
    With data: "<system folder>userinit.exe,<system folder>sdra64.exe,"
    In subkey: HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon


    • PWS:Win32/Zbot.M is a password-stealing trojan that contains limited backdoor functionality. It is capable of stealing login credentials for particular sites, cached passwords, and information contained in certificates and cookies. It is often distributed as an attachment to spam e-mail messages.

    Installation
    PWS:Win32/Zbot.M may arrive in the system via a spammed e-mail as an attachment with a filename such as 'UPS_NR1.zip' (containing 'UPS_NR1.exe') or 'UPS_NNR01.zip' as in the following example:
    From: <spoofed>
    To: <recipient email address>
    Subject: Postal Tracking #7GX6V206588M3KY
    Attachment: UPS_NR1.zip (contains UPS_NR1.exe and is detected as PWS:Win32/Zbot.M)
    Message Body:
    Hello!
    We were not able to deliver postal package you sent on the 14th of March in time because the recipient&#8217;s address is not correct.. Please print out the invoice copy attached and collect the package at our office.
    Your United Parcel Service of America
    Note, the attachment ‘UPS_NR1.zip’ is a ZIP archive containing an executable named ‘UPS_NR1.exe'. The executable uses the Compiled HTML Help file icon. The use of this icon is an attempt to entice users into opening the file by double-clicking it. Upon execution of the executable within the archive, the trojan drops a copy of itself as the following: <system folder>sdra64.exe The registry is modified to execute the dropped copy at each Windows start.
    Adds value: "userinit"
    With data: "<system folder>userinit.exe,<system folder>sdra64.exe,"
    To subkey: HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon
    When ‘sdra64.exe ' executes, it injects code and creates a remote thread in the running process 'WINLOGON.EXE'. The code injected into 'WINLOGON.EXE' then injects other code into the following processes:
  • svchost.exe
  • smss.exe
  • services.exe
  • lsass.exe
  • explorer.exe
  • vmsrvc.exe
  • mscorsvw.exe


    • Payload
    Steals Sensitive DataPWS:Win32/Zbot.M attempts to steal the following sensitive information from the system:
  • certificates
  • cached passwords
  • cookies
    • It also creates the following encrypted log file under a hidden directory: <system folder>lowsecuser.ds It may also attempt to steal the following sensitive information from the affected system:
  • certificates
  • cached passwords
  • cookies
    • Backdoor FunctionalityPWS:Win32/Zbot.M may download a configuration file from the Internet website 'finksayq.ru' at TCP port 80 for additional instructions from a remote attacker.Additional InformationPWS:Win32/Zbot.M may make additional registry changes including the following: Adds value: "UID"
    With data: "<machine specific>"
    To subkey: HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionNetwork

    Analysis by Wei Li

    Last update 24 April 2009

     

    TOP

    Malware :

    Family: