Trojan:Win32/Zbot.CX is a password stealing trojan with remote access functionality. This trojan may inject code into running processes and download files from a predefined web site. Win32/Zbot.CX may have been distributed in a spam e-mail message.
Installation
This trojan may have arrived within an e-mail message that was sent in a spam distribution. Below is an example of a spammed e-mail that may have been used for this purpose:
From: [spoofed]
Subject: Tilgungsvertrag
Attachment: Rechnung.rar
Message Body:
Sehr geehrter Kunde, sehr geehrte Kundin!
Ihr Abbuchungsauftrag Nr. 337450487376 wurde erfullt.
Ein Betrag von 7772.00 EURO wurde abgebucht und wird in Ihrem Bankauszug als "Paypalabbuchung " angezeigt.
Sie finden die Details zu der Rechnung im Anhang
PayPal (Europe) S.224; r.l. & Cie, S.C.A.
22-24 Boulevard Royal
L-2449 Luxembourg
Vertretungsberechtigter: Brent Bellm
Handelsregisternummer: R.C.S. Luxembourg B 118 349
The attachment 'Rechnung.rar' is a RAR archive containing an executable named '1406\sconfig_crypt.exe'. The executable uses the Microsoft Word document file icon. The use of this icon is an attempt to entice users into opening the file by double-clicking it.
When executed, the trojan copies itself to <system folder>\ntos.exe and modifies the registry to execute this file at each Windows start:
Adds value: "userinit"
With data: "<system folder>\userinit.exe,<system folder>\ntos.exe,"
To subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
When 'ntos.exe' executes, it injects code into the running processes 'winlogon.exe'. The code injected into WINLOGON.EXE injects other code into 'svchost.exe', which is then executed.
The code injected into SVCHOST.EXE may drop the following files:
<system folder>\config\sysevent.evt
<system folder>\wsnpoem\audio.dll
Payload
Disables Windows Firewall
The trojan may disable the Windows firewall by making the following registry modification:
Modifies value: "EnableFirewall"
With data: "0"
Within subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
Opens TCP Ports
The trojan may open and await connections on at least three TCP ports, as in the following examples:
TCP port 12880
TCP port 36194
TCP port 37004
Captures Internet Banking Credentials
Win32/Zbot.CX may capture logon credentials for one or more Internet banking Web sites. The sites targeted are predefined by the trojan author. Captured credentials may be retrieved by an attacker via open TCP ports established by the trojan.
Additional Information
Th trojan makes a number of additonal registry modifications:
Adds value: "UID"
With data: "<machine specific>"
To subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Network
Adds value: "{F710FA10-2031-3106-8872-93A2B5C5C620}"
With data: "÷ò"
To subkey: HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
Adds value: "{F710FA10-2031-3106-8872-93A2B5C5C620}"
With data: "÷ò"
To subkey: HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{35106240-D2F0-DB35-716E-127EB80A0299}
Analysis by Patrick Nolan
