Follow:

 

PWS:Win32/Zbot.PC


PWS:Win32/Zbot.PC is a password stealing trojan. Win32/Zbot also contains backdoor functionality that allows unauthorized access and control of an affected machine.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft Safety Scanner (http://go.microsoft.com/fwlink/?LinkId=212742). For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.
 
PWS:Win32/Zbot attempts to steal sensitive and confidential information from affecters users in order to perpetrate fraud. If you believe that your personal financial information may have been compromised, please refer to the following advisory for additional advice:

Threat behavior

PWS:Win32/Zbot.PC is a password stealing trojan. Win32/Zbot also contains backdoor functionality that allows unauthorized access and control of an affected machine.
Installation
When executed, PWS:Win32/Zbot.PC copies itself with a variable file name to the System directory, for example:
<system folder>\ntos.exe
 
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
 
It modifies the registry to execute this copy at each Windows start:
Sets value: "userinit"
With data: "<system folder>\userinit.exe,<system folder>\<malware filename>,"
To subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
 
For example:
Sets value: "userinit"
With data: "<system folder>\userinit.exe,<system folder>\ntos.exe"
To subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
 
Many Zbot variants utilize code injection in order to hinder detection and removal. When PWS:Win32/Zbot.PC executes, it may inject code into the running process 'winlogon.exe', which in turn injects code into other running processes, including the following, for example:
  • explorer.exe
  • lsass.exe
  • msiexec.exe
  • services.exe
  • smss.exe
  • svchost.exe
  • winlogon.exe
PWS:Win32/Zbot.PC may also create the following additional files on an affected machine:
  • <system folder>\wsnpoem\audio.dll
  • <system folder>\wsnpoem\video.dll.cla
Payload
Steals sensitive information
The Zbot family of malware is used to obtain sensitive information from the affected system, such as:
  • Trusted Web site certificates
  • Cached Web browser passwords 
  • Cookies
Note: Many Zbot variants specifically target the websites of Bank of America.

Variants of Zbot may also parse e-mail and FTP traffic in order to obtain e-mail addresses and FTP login details.
 
Contacts remote site for instruction/Downloads and executes arbitrary files
After installation, PWS:Win32/Zbot.PC attempts to contact the remote site smsdiarybig.cn via port 80 in order to download additional instructions (which may be in the form of a configuration file) and/or arbitrary files to execute.
 
Allows remote backdoor access and control
Zbot can be instructed to perform a host of actions by a remote attacker, including the following:
  • Rename itself
  • Obtain certificates and other stolen information
  • Block specified URLs
  • Download and execute arbitrary files
  • Establish a Socks proxy
Additional Information
PWS:Win32/Zbot.PC may make the following additional registry modifications:
Sets value: "UID"
With data: "avm<machine specific ID>"
To subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Network
Sets value: "ParseAutoexec"
With data: "1"
To subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
 
Analysis by Matt McCormack

Symptoms

System Changes
The following system changes may be indicative of a PWS:Win32/Zbot.PC infection:
Presence of the following file/s:
<system folder>\ntos.exe
<system folder>\wsnpoem\audio.dll
<system folder>\wsnpoem\video.dll.cla 
 
The presence of the following registry modifications (or similar):
Sets value: "userinit"
With data: "<system folder>\userinit.exe,<system folder>\ntos.exe,"
To subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "UID"
With data: "avm<machine specific ID>"
To subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Network
Sets value: "ParseAutoexec"
With data: "1"
To subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Prevention


Alert level: Severe
First detected by definition: 1.55.1566.0
Latest detected by definition: 1.55.1566.0 and higher
First detected on: Apr 13, 2009
This entry was first published on: Sep 08, 2009
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Trojan-Spy.Win32.Zbot.sak (Kaspersky)
  • Infostealer.Banker.C (Symantec)