Home / malwarePDF  

PWS:Win32/Zbot.RI


First posted on 12 March 2010.
Source: SecurityHome

Aliases :

PWS:Win32/Zbot.RI is also known as TROJ_ZBOT.BRJ (Trend Micro), Trojan-Spy.Win32.Zbot.abje (Kaspersky), Trojan.Zbot (Symantec).

Explanation :

PWS:Win32/Zbot.RI is a password stealing trojan. Win32/Zbot also contains backdoor functionality that allows unauthorized access and control of an affected machine.
Top

PWS:Win32/Zbot.RI is a password stealing trojan. Win32/Zbot also contains backdoor functionality that allows unauthorized access and control of an affected machine. InstallationWhen executed, PWS:Win32/Zbot.RI copies itself with a variable file name to the System directory, for example:<system folder>\wsnpoema.exe Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32. It modifies the registry to execute this copy at each Windows start:Sets value: "userinit"
With data: "<system folder>\userinit.exe,<system folder>\<malware filename>,"
To subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon For example:
Sets value: "userinit"
With data: "<system folder>\userinit.exe,<system folder>\wsnpoema.exe"
To subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon Many Zbot variants utilize code injection in order to hinder detection and removal. When PWS:Win32/Zbot.RI executes, it may inject code into the running process 'winlogon.exe', which in turn injects code into other running processes, including the following, for example:

  • explorer.exe
  • lsass.exe
  • services.exe
  • smss.exe
  • svchost.exe
  • winlogon.exe
  • wmiprvse.exe
  • wuauclt.exe
    • Payload Steals sensitive informationThe Zbot family of malware is used to obtain sensitive information from the affected system, such as:
  • Trusted Web site certificates
  • Cached Web browser passwords
  • Cookies
    • Note: Many Zbot variants specifically target the websites of Bank of America.
    Variants of Zbot may also parse e-mail and FTP traffic in order to obtain e-mail addresses and FTP login details. Contacts remote site for instruction/Downloads and executes arbitrary filesAfter installation, PWS:Win32/Zbot.RI attempts to contact the remote site calvinkleinstuffz.com via port 80 in order to download additional instructions (which may be in the form of a configuration file) and/or arbitrary files to execute. Allows remote backdoor access and controlZbot can be instructed to perform a host of actions by a remote attacker, including the following:
  • Rename itself
  • Obtain certificates and other stolen information
  • Block specified URLs
  • Download and execute arbitrary files
  • Establish a Socks proxy


    • Analysis by Matt McCormack

    Last update 12 March 2010

     

    TOP

    Malware :

    Family: