PWS:Win32/Zbot.SI is a password-stealing trojan. Win32/Zbot also contains backdoor functionality that allows unauthorized access and control of an affected computer.
Installation
PWS:Win32/Zbot.SI may arrive via a spammed e-mail message having a PDF attachment masquerading as a delivery notice from the "Royal Mail" with a file name similar to "Royal_Mail_Delivery_Invoice_1092817.pdf".
The PDF attachment contains an embedded executable Win32/Zbot payload. If the user opens the documents using a version of Adobe Reader that is vulnerable to a certain software flaw and clicks through a series of dialog boxes, the vulnerability could be exploited that allows documents to automatically launch the embedded executable.
Upon execution, the trojan drops a copy of itself in the system as:
- <system folder>\sdra64.exe
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
It then modifies the registry to execute this file at each Windows start.
Modifies value: "userinit"
With data: "<system folder>\userinit.exe,<system folder>\sdra64.exe,"
In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
When "sdra64.exe" executes, it injects other code into the running process "winlogon.exe", which in turn injects code into other running processes, including the following, for example:
-
explorer.exe
-
lsass.exe
-
services.exe
-
smss.exe
-
spoolsv.exe
-
svchost.exe
-
winlogon.exe
-
wauclt.exe
Payload
Steals sensitive information
The Zbot family of malware is used to obtain sensitive information from the affected system, such as:
PWS:Win32/Zbot.SI creates the following encrypted log file under a hidden folder, in which it presumably writes all stolen data:
Contacts remote site for instruction/Downloads and executes arbitrary files
After installation, PWS:Win32/Zbot.SI attempts to contact the remote IP address "59.44.60.152" at TCP port 6010 to download additional instructions (which may be in the form of a configuration file) and/or arbitrary files to execute.
Allows remote backdoor access and control
Zbot can be instructed to perform a host of actions by a remote attacker for additional instructions including the following:
PWS:Win32/Zbot.SI opens and listens on TCP port 18691 for additional instructions from a remote attacker.
Additional Information
PWS:Win32/Zbot.SI may make the following additional registry modifications:
Sets value: "UID"
With data: "avm<computer-specific ID>"
To subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Network
Analysis by Wei Li
