PWS:Win32/Zbot.QW is a trojan that steals user names and passwords for various Internet and FTP accounts. It may also allow a remote attacker to gain backdoor access and control of the affected system. It can bypass the system firewall and apply stealth mechanisms to avoid detection.
Installation
PWS:Win32/Zbot.QW may be downloaded and opened (or run) when a computer user clicks a hyperlink within a spammed e-mail message. The message contains references to vaccinations against the H1N1 virus, with additional information from the "Centers for Disease Control" (CDC). The link may point to an executable hosted on a remote site named "vacc_profile.exe". In one example, the remote site is named "online.cdc.gov.yhnbak.org.im". The real CDC website domain is "cdc.gov".
When run, PWS:Win32/Zbot.QW creates a mutex named '_AVIRA_21099' to ensure that only one instance of itself is running at any given time. It is copied into the system as the following file with the attributes 'hidden', 'system' and 'archive':
- <system folder>\sdra64.exe
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
It then modifies the system registry so that it automatically runs every time Windows starts:
Adds value: "userinit"
With data: "<system folder>\userinit.exe, <system folder>\sdra64.exe"
To subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
It also creates the following registry entry as part of its installation routine:
Adds value: "UID"
With data: "avm<machine specific ID>"
To subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Network
Payload
Modifies system settings
PWS:Win32/Zbot.QW possibly modifies the system registry so that the file 'autoexec.bat' is parsed whenever Windows starts. Note that this is the default setting.
Adds value: "ParseAutoexec"
With data: "1"
To subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Bypasses firewall applications
When executed, PWS:Win32/Zbot.QW searches for the following applications associated with firewall and Internet protection:
- outpost.exe - Outpost Personal Firewall
- zlclient.exe - ZoneLabs Firewall Client
It then creates the pipe '\\.\pipe\_AVIRA_2109' to bypass the above firewall applications and allow an attacker remote access.
Avoids detection
PWS:Win32/Zbot.QW injects code into the running process 'winlogon.exe', which in turn injects code into other processes, such as the following:
alg.exe
explorer.exe
lsass.exe
msiexec.exe
services.exe
smss.exe
spoolsv.exe
svchost.exe
winlogon.exe
wmiprvse.exe
By injecting its malicous routines into already running system processes, the trojan attempts to avoid detection by security-related services and applications. PWS:Win32/Zbot.QW hooks the following APIs to prevent security products from removing its components:
HttpQueryInfoA
HttpSendRequestA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestW
InternetCloseHandle
InternetQueryDataAvailable
InternetReadFile
InternetReadFileExA
NtCreateThread
NtQueryDirectoryFile
WSASend
closesocket
send
Steals information
PWS:Win32/Zbot.QW connects to the IP address '193.104.41.75' to download a configuration file, which is saved in the system as:
This file contains a list of Web sites that are mostly associated with online banking. Based on the information contained within this file, PWS:Win32/Zbot.QW attempts to steal the following information from the affected system:
- Trusted Web site certificates
- Cached Web browser passwords
- Cookies
- FTP configuration file containing the user names and passwords for certain FTP software including the following:
- COREFTP
- Far manager
- Ipswitch ws_ftp
- SmartFTP
- Total commander ghisler
- WINSCP
- ftp cOMMANDER
PWS:Win32/Zbot.QW then stores the stolen information to the following file:
Allows remote backdoor access and control
PWS:Win32/Zbot.QW can be instructed to perform certain actions, such as the following, by a remote attacker:
- Rename itself
- Obtain certificates and other stolen information
- Block specified URLs
- Download and execute arbitrary files
- Establish a SOCKS proxy
Some of the downloaded files may be malware. One example in the wild is known to connect to the same IP address as above ('
193.104.41.75') to download a file detected as
TrojanDropper:Win32/Hipaki.A.
Analysis by Tim Liu
