PWS:Win32/Zbot.PM is a trojan password stealer that can may bypass installed firewall applications to send captured passwords to an attacker. It also contains limited backdoor functionality that allows unauthorized access and control of an affected machine.
Installation
In the wild, PWS:Win32/Zbot.PM has been observed distributed as an attachment to spammed e-mail. The e-mail is disguised as a security alert from Microsoft and the attachment may have a file name such as "officexp-KB910721-FullFile-ENU.exe". This trojan may also be encountered and installed when visiting a malicious Web page.
PWS:Win32/Zbot.PM may be downloaded from a malicious Web site disguised as a security alert from Microsoft as in the following example from the domain 'update.microsoft.com.il1ifi.com.mix' :
When executed, PWS:Win32/Zbot.PM drops a copy of itself as the following:
<system folder>\sdra64.exe
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
It also modifies the registry to execute the trojan every time Windows starts.
Modifies value: "userinit"
With data: "<system folder>\userinit.exe,<system folder>\sdra64.exe,"
To subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
When sdra64.exe is executed, it injects code into the running process 'winlogon.exe', which may in turn inject code into other running processes, such as the following:
svchost.exe
smss.exe
lsass.exe
explorer.exe
Payload
Steals Sensitive Information
PWS:Win32/Zbot.PM attempts to steal the following sensitive information:
certificates
cached passwords
cookies
The trojan writes the stolen data into the following encrypted log file under a hidden directory:
<system folder>\lowsec\user.ds
Connects to Remote Web Site to Receive Instructions
PWS:Win32/Zbot.PM may contact the web site 91.206.201.6 using TCP port 80 to await instructions from a remote attacker and send stolen sensitive information.
Additional Information
PWS:Win32/Zbot.PM may make additional registry changes such as the following:
Adds value: "UID"
With data: "<machine specific string>"
To subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Network
Analysis by Wei Li
