Follow:

 

PWS:Win32/Zbot.gen!Y


Microsoft security software detects and removes this threat.
 
This threat is a generic detection for password stealer and remote access trojans. These trojans can steal your sensitive information, download and run files, and give a malicious hacker access and control of your PC.

They are part of the Win32/Zbot family.
 
These threats are usually installed by other malware and via infected removable drives or spam emails.
 


What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Additional recovery steps

This threat tries to steal your sensitive and confidential information. If you think your information has been stolen, see:

 You should change your passwords after you've removed this threat:

This threat might make lasting changes to your PC's settings that won't be restored when it's cleaned. The following steps can help change these settings back to what you want:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

These trojans are often installed by other malware. In the wild, some variants were observed bundled with an exploit detected as Exploit:Win32/CplLnk.B. The trojan could be sent as an attachment to a spammed email message such as in the following examples:



Example 1:

From: <delivery@dhl.com>
To: <recipient>
Date: 12/3/2010 4:53:46 AM
Subject: DHL Failure Delivery Notification Message
Attachment: "SN_122010.zip" (contains "kss.exe")

 

Example 2:

 

 

Example 3:

From: <jim.larkin@careerbuilder.com>
To: <recipient>
Date: 11/29/2010 2:12:31 PM
Subject: Re: invoice
Attachment: "invoice.zip" (contains "invoice.scr")

Here is the invoice you requested

Thank you,

Jim Larkin

Careerbuilder Customer Care Department  

When it runs, PWS:Win32/Zbot.gen!Y drops a modified copy of itself as a randomly named file:

%APPDATA% \<random letters>\<random letters>. exe 

For example:

c:\Documents and Settings\Administrator\Application Data\dopyq\ruro.exe

The registry is modified to run the malware each time you start your computer:

In subkey: HKCU\Software\Microsoft\Windows\Currentversion\Run
Sets value: "{GUID of Windows volume}"
With data: "%APPDATA%\<random letters>\<random letters>.exe"

If running within a terminal server session, the trojan drops and runs a copy of itself as a randomly named file into one of the following folders:

  • <drive:>\documents and settings\default user\
  • <drive:>\users\default\
  • <drive:>\documents and settings\<user name>\
  • <drive:>\users\<user name>\

The malware injects codes into the address space of the following processes to hide itself from security software:

  • ctfmon.exe
  • explorer.exe
  • rdpclip.exe
  • taskeng.exe
  • taskhost.exe
  • winlogon.exe
  • wscntfy.exe

In newer variants, instead of selecting processes, PWS:Win32/Zbot.gen!Y injects code into the address space of all running processes matching the privilege of the currently logged on user. For example, if you are logged on as an administrator, the trojan will inject its code into all administrator-level processes, such "winlogon.exe", "smss.exe" and so on.

Otherwise, the trojan will inject its code into all user-level processes, such as "explorer.exe", "iexplore.exe" and so on.

PWS:Win32/Zbot.gen!Y also hooks the following Windows system APIs to help it steal sensitive information:

  • BeginPaint
  • CallWindowProcA
  • CallWindowProcW
  • closesocket
  • DefDlgProcA
  • DefDlgProcW
  • DefFrameProcA
  • DefFrameProcW
  • DefMDIChildProcA
  • DefMDIChildProcW
  • DefWindowProcA
  • DefWindowProcW
  • EndPaint
  • GetCapture
  • GetClipboardData
  • GetCursorPos
  • GetDC
  • GetDCEx
  • GetFileAttributesExW
  • GetMessageA
  • GetMessagePos
  • GetMessageW
  • GetUpdateRect
  • GetUpdateRgn
  • GetWindowDC
  • HttpQueryInfoA
  • HttpSendRequestA
  • HttpSendRequestExA
  • HttpSendRequestExW
  • HttpSendRequestW
  • InternetCloseHandle
  • InternetQueryDataAvailable
  • InternetReadFile
  • InternetReadFileExA
  • OpenInputDesktop
  • PeekMessageA
  • PeekMessageW
  • PFXImportCertStore
  • RegisterClassA
  • RegisterClassExA
  • RegisterClassExW
  • RegisterClassW
  • ReleaseCapture
  • ReleaseDC
  • send
  • SetCapture
  • SetCursorPos
  • SwitchDesktop
  • TranslateMessage
  • WSASend

PWS:Win32/Zbot.gen!Y hooks the following additional APIs to support FireFox:

  • PR_Close
  • PR_OpenTCPSocket
  • PR_Read
  • PR_Write
Payload

Infects files

PWS:Win32/Zbot.gen!Y can attempt to infect executable files so that it can then infect other PCs that use infected removable, fixed, shared or remote drives. The trojan has been observed infecting files in the following locations:

  • <drive:>\documents and settings\<user name>\application data\
  • <drive:>\users\<user name>\appdata\roaming\
  • <drive:>\program files\
  • <drive:>\program files (x86)\
  • %windir%\system32\  

Infected files are detected as Virus:Win32/Zbot.B or Virus:Win32/Zbot.C.

Steals sensitive information

The trojan collects FTP credentials (IP, port, user name, and passwords) from the following FTP software:

  • CoreFTP
  • FAR/FAR2
  • FileZilla
  • FlashFXP
  • FTP Commander
  • SmartFTP
  • Total Commander
  • winscp
  • ws_ftp

PWS:Win32/Zbot.gen!Y steals the following sensitive information from your PC:  

  • Digital certificates 
  • Internet Explorer cookies 
  • Stored passwords

The trojan also logs keystrokes and gets a snapshot of your PC. 

Steals Outlook Mail credentials

If running on Windows XP and below, PWS:Win32/Zbot.gen!Y uses COM libraries "msoeacct.dll" and "wab32.dll" to capture Outlook Mail details, such as:

  • Account name
  • Email address
  • Server
  • User name
  • Password

The DLL files are searched in the directory defined in the registry key below:

HKLM\SOFTWARE\Microsoft\WAB\DLLPath\

Otherwise, if running on Windows Vista and above, the trojan captures the credentials by parsing the email folder, specified in this registry subkey:

HKCU\SOFTWARE\Microsoft\Windows Mail\Store Root\

Steals "Full Tilt Poker" credentials

PWS:Win32/Zbot.gen!Y can capture logon credentials for the online gaming program "Full Tilt Poker". The trojan resets logon data by deleting the following registry value:

HKCU\Software\Full Tilt Poker\UserInfo\UserName

The trojan then monitors for logon activity for the game, and captures any credentials you use.

Lowers Internet Explorer web browser security

PWS:Win32/Zbot.gen!Y lowers Internet Explorerweb browser security settings by making the following changes to the registry:

Disables phishing filtering:

In subkey: HKCU\Software\Microsoft\Internet Explorer\PhishingFilter
Sets value: "Enabled"
With data: "0"
Sets value: "EnabledV8"
With data: "0"

Prevents the removal of expired Internet Explorer browser cookies:

In subkey: HKCU\Software\Microsoft\Internet Explorer\Privacy
Sets value: "CleanCookies"
With data: "0"

Lowers Internet Explorer Internet zone security settings:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
Set value: "1609"
With data: "0"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Sets value: "1406"
With data: "0"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
Sets value: "1609"
With data: "0"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Sets value: "1406"
With data: "0"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
Sets value: "1406"
With data: "0"

Lowers Firefox web browser security

PWS:Win32/Zbot.gen!Y can modify settings for the web browser Mozilla Firefox including the following:

  • Disable the clearing of Internet cookies
  • Disable the display of warning messages when viewing mixed secured and unsecure webpages
  • Disable the display of warning messages when submitting data to unsecure pages

Allows remote access and control

PWS:Win32/Zbot.gen!Y allows varying degrees of remote access and control, depending on the information in the configuration file.

The trojan could perform, but is not limited to, any of the following actions:

  • Reboot/shut down your computer
  • Uninstall Zbot
  • Update Zbot and its configuration file
  • Search and remove files and directories
  • Log you off your computer
  • Run a program
  • Steal or delete Internet Explorer cookies
  • Steal or delete certificates
  • Block or unblock URLs
  • Change the Internet Explorer homepage
  • Steal your FTP credentials
  • Steal your email login credentials
  • Steal your Flash Player credentials

Downloads files

PWS:Win32/Zbot.gen!Y hooks APIs used by Internet Explorer and Mozilla Firefox to steal login credentials when you visit certain websites. Earlier variants of PWS:Win32/Zbot.gen!Y download a configuration file from a remote server (for example, "dairanet.cn") and captured data will be sent to a predefined FTP or email server.

Newer variants of this malware generate up to 1020 pseudo-randomly named domains and attempt connections with the generated list to download a configuration file. The generated domain names are based on your computer's date and time and have one of the following suffixes:

  • .biz
  • .com
  • .info
  • .net
  • .org

The configuration file contains data used by the malware such as the following:

  • URL to download updates for PWS:Win32/Zbot.gen!Y
  • URL for additional configuration data files to download
  • Version number of the bot that distributes the malware
  • URL of targeted online financial institutions
  • HTML and JavaScript code for parsing target webpages

Analysis by Rodel Finones


Symptoms

Alerts from your security software may be the only symptom.


Prevention


Alert level: Severe
First detected by definition: 1.79.199.0
Latest detected by definition: 1.199.1603.0 and higher
First detected on: Mar 19, 2010
This entry was first published on: Aug 06, 2010
This entry was updated on: Sep 14, 2014

This threat is also detected as:
  • TR/PSW.Zbot.130560.Y (Avira)
  • Gen:Variant.Zbot.13 (BitDefender)
  • Win32/Spy.Zbot.YW (ESET)
  • Trojan-Spy.Win32.Zbot (Ikarus)
  • Packed.Win32.Krap.hm (Kaspersky)
  • Troj/Zbot-UW (Sophos)
  • TrojanSpy.Zbot.AGZW (VirusBuster)
  • Zeus (other)
  • Zbot (other)