PWS:Win32/Zbot.M is a password-stealing trojan that contains limited backdoor functionality. It is capable of stealing login credentials for particular sites, cached passwords, and information contained in certificates and cookies. It is often distributed as an attachment to spam e-mail messages.
Installation
PWS:Win32/Zbot.M may arrive in the system via a spammed e-mail as an attachment with a filename such as 'UPS_NR1.zip' (containing 'UPS_NR1.exe') or 'UPS_NNR01.zip' as in the following example:
From: <spoofed>
To: <recipient email address>
Subject: Postal Tracking #7GX6V206588M3KY
Attachment: UPS_NR1.zip (contains UPS_NR1.exe and is detected as PWS:Win32/Zbot.M)
Message Body:
Hello!
We were not able to deliver postal package you sent on the 14th of March in time because the recipient’s address is not correct.. Please print out the invoice copy attached and collect the package at our office.
Your United Parcel Service of America
Note, the attachment ‘UPS_NR1.zip’ is a ZIP archive containing an executable named ‘UPS_NR1.exe'. The executable uses the Compiled HTML Help file icon. The use of this icon is an attempt to entice users into opening the file by double-clicking it. Upon execution of the executable within the archive, the trojan drops a copy of itself as the following:
<system folder>\sdra64.exe
The registry is modified to execute the dropped copy at each Windows start.
Adds value: "userinit"
With data: "<system folder>\userinit.exe,<system folder>\sdra64.exe,"
To subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
When ‘sdra64.exe ' executes, it injects code and creates a remote thread in the running process 'WINLOGON.EXE'. The code injected into 'WINLOGON.EXE' then injects other code into other running process such as the following:
-
svchost.exe
-
smss.exe
-
services.exe
-
lsass.exe
-
explorer.exe
Payload
Steals Sensitive Data
PWS:Win32/Zbot.M attempts to steal the following sensitive information from the system:
-
certificates
-
cached passwords
-
cookies
It also creates the following encrypted log file under a hidden directory:
<system folder>\lowsec\user.ds
It may also attempt to steal the following sensitive information from the affected system:
-
certificates
-
cached passwords
-
cookies
Backdoor Functionality
PWS:Win32/Zbot.M may download a configuration file from the Internet website 'finksayq.ru' at TCP port 80 for additional instructions from a remote attacker.
Additional Information
PWS:Win32/Zbot.M may make additional registry changes including the following:
Adds value: "UID"
With data: "<machine specific>"
To subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Network
Analysis by Wei Li
