PWS:Win32/Zbot.gen!V is a generic detection for a variant of a password-stealing trojan that monitors for visits to certain Web sites. Some variants allow limited remote access and control and may terminate certain security-related processes.
The trojan is capable of capturing logon credentials for particular Web sites, cached passwords and information contained in certificates and cookies. It is often distributed as an attachment to spam e-mail messages.
Installation
When run, this trojan creates a mutex with a name such as the following to prevent execution of more than once instance of the malware:
-
_AVIRA_21099
-
_AVIRA_<4 digits> (such as AVIRA_2108, AVIRA_2109, etc)
The trojan drops a copy of itself as the following with file attributes set to 'hidden', 'system' and 'archive':
The registry is modified to execute the dropped copy at each Windows start.
Sets value: "Userinit"
With data: "<system folder>\userinit.exe,<system folder>\sdra64.exe"
In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
When "sdra64.exe" executes, it injects code and creates a remote thread in the running process "winlogon.exe". The code injected into "winlogon.exe" then injects other code into other running process such as the following:
-
svchost.exe
-
smss.exe
-
services.exe
-
lsass.exe
-
explorer.exe
PWS:Win32/Zbot.gen!V may also create the following files once it is active:
The trojan may also create the following registry entries:
Sets value: "UID"
With data: "<machine name>_<random string>"
In subkeys:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Network HKCU\Software\Microsoft\Windows NT\CurrentVersion\Network
Sets value: "{3039636B-5F3D-6C64-6675-696870667265}"
With data: "÷ò"
In subkey:
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
Payload
Allows backdoor access
PWS:Win32/Zbot.gen!V searches for the following installed firewalls:
It will then create a named pipe that will allow bypassing of these firewalls in order to allow an attacker remote access to the infected machine.
The trojan opens a high numbered TCP port such as TCP port 10502 and awaits a connection from a remote attacker.
Steals sensitive data
PWS:Win32/Zbot.gen!V attempts to steal the following sensitive information from the system:
-
certificates
-
cached passwords
-
cookies
The stolen information is then stored in the following file
<system folder>\lowsec\user.ds
Captured logon credentials are then sent to an attacker or uploaded to a predefined remote server.
Downloads arbitrary files
In the wild we have observed this trojan attempt a connection to the domain "primusdns.ru" at TCP port 80 (HTTP) to retrieve an encrypted data file named "config.bin".
Analysis by Wei Li