This threat can be downloaded by variants of the Win32/Zemot family of malware.
We have seen it use the following file names, among others:
The threat can drop copies of itself as a randomly named file:
%APPDATA%\<random letters>\<random letters>.exe
C:\Documents and Settings\Administrator\Application Data\Wuqiowciemequ\anpow.exe
Some variants may also drop a copy using a randomly generated filename in the <system folder>.
Some variants make the following changes to the registry to ensure that they run each time you start your PC:
In subkey: HKCU\Software\Microsoft\Windows\Currentversion\Run
In subkey: HKLM\Software\Microsoft\Windows\Currentversion\Run
Sets value: "<random number>" for example, "2772969301"
With data: "<location and file name of file>", for example "%%APPDATA%\Wuqiowciemequ\anpow.exe"
The threat creates a scheduled task named "Security Center Update - <random nine numbers>" to ensure that it runs regularly.
It also creates the following registry entry to avoid the display of certain errors, such as "Out of memory" errors:
In subkey: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems
Sets value: "Windows"
With data: "<system folder>\csrss.exe objectdirectory=\windows sharedsection=1024,1536,512 windows=on subsystemtype=windows serverdll=basesrv,1 serverdll=winsrv:userserverdllinitialization,3 serverdll=winsrv:conserverdllinitialization,2 profilecontrol=off maxrequestthreads=16"
We have seen Zbot involved in click-fraud operations. It connects to certain command-and-control (C&C) servers to receive information from the click-fraud operator. Some of the servers it's known to connect to are:
Once connected, Zbot receives information as to what affiliate company would benefit from click-fraud.
We have seen the threat generate clicks for the following URLs:
Analysis by Patrick Estavillo