Threat behavior
PWS:Win32/Zbot.gen!W is a generic detection for a variant of a password-stealing trojan that monitors for visits to certain Web sites. Some samples allow limited backdoor access and control and may terminate certain security-related processes.
Installation
When executed, PWS:Win32/Zbot.gen!W drops a copy of itself as the following file:
- <system folder>\sdra64.exe
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
It may also create the following files once it is active:
- <system folder>\lowsec\local.ds - configuration file
- <system folder>\lowsec\user.ds - stolen data
PWS:Win32/Zbot.gen!W modifies the registry to launch itself once the user logs on to Windows:
Adds value: "userinit"
With data: "<system folder>\userinit.exe,<system folder>\sdra64.exe,"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
It also creates an infection marker in the registry:
Adds value: "UID"
With data: "<machine name>_<random string>"
In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Network or HKCU\Software\Microsoft\Windows NT\CurrentVersion\Network
Payload
Steals user credentials
PWS:Win32/Zbot.gen!W may monitor if the user visits certain Web sites. If this is the case, it may steal the user's account information as they are entered in the browser.
The stolen information is then stored in its dropped file <system folder>\lowsec\user.ds.
Analysis by Jireh Sanico
Prevention