Home / malware

PDF

PWS:Win32/Zbot.gen!AJ

First posted on 12 September 2012.
Source: Microsoft

Aliases :

PWS:Win32/Zbot.gen!AJ is also known as Win32/Kryptik.AKUL (ESET), Mal/NecursDrp-A (Sophos), Spyware/Win32.Zbot (AhnLab), TR/PSW.Zbot.AJ.286 (Avira), Trojan.PWS.Panda.1949 (Dr.Web), Trojan-PWS.Win32.Zbot (Ikarus), Trojan-Spy.Win32.Zbot.eqmz (Kaspersky), TSPY_ZBOT.SD (Trend Micro).

Explanation :

PWS:Win32/Zbot.gen!AJ is a password-stealing trojan that also allows backdoor access and control of your computer. It belongs to the PWS:Win32/Zbot family of trojans.

Also known as "Zeus", this trojan can:

• Lower the security of your Internet browser
• Steal sensitive information about you and your computer
• Allow unauthorized access and control of an affected computer

The trojan is usually distributed via spam emails or through compromised websites.



Installation

When run, PWS:Win32/Zbot.gen!AJ drops a copy of itself as a randomly named file, in the following format:

%APPDATA%\<random letters>\<random letters>.exe

Note: %APPDATA% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Application Data folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>\Application Data". For Windows Vista and 7, the default location is "C:\Users\<user>\AppData\Roaming".

For example:

C:\Documents and Settings\Administrator\Application Data\iciz\uxqug.exe

The copy is modified with extra, meaningless data to distinguish it from the original file.

PWS:Win32/Zbot.gen!AJ modifies the following registry entry to ensure that its copy runs at each Windows start:

In subkey: HKCU\Software\Microsoft\Windows\Currentversion\Run
Sets value: "<random letters>", for example "Ryatper"
With data: "%APPDATA%\<random letters>\<random letters>.exe", for example "C:\Documents and Settings\Administrator\Application Data\iciz\uxqug.exe"

PWS:Win32/Zbot.gen!AJ injects code into certain, targeted running processes that match your current user privileges.

Additionally, the trojan will inject its code into all user-level processes (such as "explorer.exe" and "iexplore.exe").

This behavior is intended to hide the trojan from security applications.



Payload

Captures sensitive information

PWS:Win32/Zbot.gen!AJ hooks APIs used by Internet Explorer and Mozilla Firefox to steal sensitive data, such as online banking, shopping, email and network credentials and information when you visit certain websites. For a list of the APIs please see the Additional information section in this entry.

The trojan also steals the following sensitive information from your computer:

• Digital certificates
• Internet Explorer cookies
• Stored passwords

It uses a configuration file to determine the websites that it will steal from when you visit them.

The trojan also logs keystrokes and obtains a screenshot of your computer.

Captured data is sent to a predefined FTP or email server, specified in the configuration file, for collection by a remote attacker.

Contacts remote host

PWS:Win32/Zbot.gen!AJ attempts to connect to the following addresses to report its infection and download the configuration file:

• gabgraph.com/sopelka1/file.php
• rafaywa.com/sopelka1/file.php
• viernon.com/sopelka1/file.php

Lowers Internet browser security

PWS:Win32/Zbot lowers Internet Explorer Internet zone security settings by making the following changes to the registry:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
Sets value: "1609"
With data: "0"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Sets value: "1406"
With data: "0"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
Sets value: "1609"
With data: "0"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Sets value: "1406"
With data: "0"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
Sets value: "1406"
With data: "0"

Additional information

PWS:Win32/Zbot.gen!AJ hooks the following Windows system APIs:

• advapi32.dll:
• CreateProcessAsUserA
• CreateProcessAsUserW
  
  
• crypt32.dll:
• PFXImportCertStore
  
  
• gdi32.dll:
• CallWindowProcA
• CallWindowProcW
• DefDlgProcA
• DefDlgProcW
• DefFrameProcA
• DefFrameProcW
• DefMDIChildProcA
• DefMDIChildProcW
• DefWindowProcA
• DefWindowProcW
• OpenInputDesktop
• RegisterClassA
• RegisterClassExA
• RegisterClassExW
• RegisterClassW
• SwitchDesktop
  
  
• kernel32.dll:
• ExitProcess
• GetFileAttributesExW
  
  
• nspr.dll:
• PR_Close
• PR_OpenTCPSocket
• PR_Read
• PR_Write
• PR_GetNameForIdentity
  
  
• ntdll.dll:
• LdrLoadDll
• ZwCreateThread
  
  
• user32.dll:
• BeginPaint
• CallWindowProcA
• CallWindowProcW
• DefDlgProcA
• DefDlgProcW
• DefFrameProcA
• DefFrameProcW
• DefMDIChildProcA
• DefMDIChildProcW
• DefWindowProcA
• DefWindowProcW
• EndPaint
• GetCapture
• GetClipboardData
• GetCursorPos
• GetDC
• GetDCEx
• GetMessageA
• GetMessagePos
• GetMessageW
• GetUpdateRect
• GetUpdateRgn
• GetWindowDC
• OpenInputDesktop
• PeekMessageA
• PeekMessageW
• RegisterClassA
• RegisterClassExA
• RegisterClassExW
• RegisterClassW
• ReleaseCapture
• ReleaseDC
• SetCapture
• SetCursorPos
• SwitchDesktop
• TranslateMessage
  
  
• winmm.dll:
• PlaySoundA
• PlaySoundW
  
  
• wininet.dll:
• HttpEndRequestA
• HttpEndRequestW
• HttpOpenRequestA
• HttpOpenRequestW
• HttpQueryInfoA
• HttpSendRequestA
• HttpSendRequestExA
• HttpSendRequestExW
• HttpSendRequestW
• InternetCloseHandle
• InternetQueryDataAvailable
• InternetReadFile
• InternetReadFileExA
• InternetSetFilePointer
• InternetSetOptionA
• InternetSetStatusCallbackA
• InternetSetStatusCallbackW
  
  
• ws2_32.dll:
• closesocket
• getaddrinfo
• gethostbyname
• send
• WSASend

In the wild, we have observed this malware leaving messages to infected users in its code.

Related encyclopedia entries

PWS:Win32/Zbot



Analysis by Zarestel Ferrer

Last update 12 September 2012

 

TOP