PWS:Win32/Zbot.QZ is a trojan that steals sensitive user information from the affected computer and from attacker specified websites. It is often distributed through a spammed e-mail message.
Installation
PWS:Win32/Zbot.QZ may be downloaded from malicious Web sites. One known example was available for download from the IP address '193.104.27.42' as the file 'ipc2.exe'. The address may also be distributed via spammed e-mail messages.
PWS:Win32/Zbot.QZ drops a copy of itself into the Windows system folder as '<system folder>\sdra64.exe'.
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
It then modifies the system registry so that it automatically runs every time Windows starts:
Modifies value: "userinit"
With data: "<system folder>\userinit.exe,<system folder>\sdra64.exe,"
To subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
When run, PWS:Win32/Zbot.QZ creates a mutex, which may have a name such as the following, to ensure that only one instance of itself is running:
It also creates the following registry entry as part of its installation routine:
Adds value: "UID"
With data: "avm<machine specific ID>"
To subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Network
Adds value: "{3039636B-5F3D-6C64-6675-696870667265}"
With data: "÷ò "
To subkey: HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
Adds value: "{3039636B-5F3D-6C64-6675-696870667265}"
With data: "÷ò "
To subkey: HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
PWS:Win32/Zbot.QZ may inject its code into the running process 'winlogon.exe', which in turn injects code into other running processes, including the following:
- explorer.exe
- lsass.exe
- services.exe
- svchost.exe
Payload
Modifies system settings
PWS:Win32/Zbot.QW may modify the system registry so that the file 'autoexec.bat' is parsed whenever Windows starts. Note that this is a default setting.
Adds value: "ParseAutoexec"
With data: "1"
To subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Bypasses firewall applications
PWS:Win32/Zbot.QW searches for the following installed firewalls:
- Outpost.exe - Outpost Personal Firewall
- Zlclient.exe - ZoneLabs Firewall client
It then creates a named pipe that allows it to bypass these firewalls and an attacker to remotely access the affected computer.
Steals information
PWS:Win32/Zbot.QZ attempts to steal the following sensitive information from the affected computer:
- Trusted Web site certificates
- Cached Web browser passwords
- Cookies
- FTP configuration file containing the user names and passwords for certain FTP applications
It creates the following folder with attributes set to 'System' and 'Hidden':
<system folder>\lowsec
within which it creates the following data files:
- <system folder>\lowsec\local.ds – used to store the encrypted downloaded file configuration file
- <system folder>\lowsec\user.ds - used to store the stolen user information
PWS:Win32/Zbot.QZ connects to the IP address '193.104.27.42' (similar to the address in the Installation section) using TCP port 80 to download a configuration file containing instructions from a remote attacker. This file contains a list of bank-related Web sites from which the trojan may try to gather user information. Note that the contents of this file may change any time.
At the time of this writing, the IP address '193.104.27.42' is not accessible.
Analysis by Wei Li
