PWS:Win32/Zbot.TQ is a trojan that injects code into various processes. It may also steal sensitive system information, such as user names and passwords, and send it back to a remote attacker. It may also connect to various websites and download other components.
Installation
Upon execution, PWS:Win32/Zbot.TQ creates a folder with a random name in the %AppData% folder. In this folder, it drops a file, also detected as PWS:Win32/Zbot.TQ. The file also has a random file name, such as "egfo.exe".
It then modifies the system registry so that the file automatically starts every time Windows starts:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random CLSID>"
With data: "%AppData%\<random string>\<malware file>"
for example:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "{52659BBA-637E-9200-B969-326F7D5F89AA}"
With data: "%AppData%\wealwu\egfo.exe"
It also creates the following registry subkey:
HKCU\SOFTWARE\Microsoft\<random string>
for example:
HKCU\SOFTWARE\Microsoft\Woguap
PWS:Win32/Zbot.TQ also creates a mutex named "Nn983c".
Payload
Injects code
PWS:Win32/Zbot.TQ injects code into the address space of all running process that match the privilege of the currently logged-on user, such as "explorer.exe".
Steals sensitive information
PWS:Win32/Zbot.TQ may hook various system APIs to capture sensitive data (user names, passwords), which is then sent to a remote server.
Connects to remote servers
PWS:Win32/Zbot.TQ may attempt to connect to a remote website possibly to download additional components. Some of the websites it is known to connect to are:
-
fastworkstation.co.cc
-
knuckleheadskc.com
Analysis by Andrei Florin Saygo
