TrojanSpy:Win32/Zbot.gen!C is a trojan that is used to steal sensitive information from an affected machine.
Installation
When executed, TrojanSpy:Win32/Zbot.gen!C copies itself to <system folder>\ntos.exe and modifies the registry to ensure that this copy is executed at each Windows start:
Adds value: "userinit"
With data: "<system folder>\userinit.exe,<system folder>\ntos.exe,"
To subkey: HKLM\software\microsoft\windows nt\currentversion\winlogon
Adds value: "userinit"
With data: "<system folder>\ntos.exe"
To subkey: KEY_USERS\.DEFAULT\software\microsoft\windows\currentversion\run
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
TrojanSpy:Win32/Zbot.gen!C may create the following files, which it uses in order to store data, such as captured information and configuration options:
TrojanSpy:Win32/Zbot.gen!C may inject malicious code into explorer.exe or winlogon.exe.
TrojanSpy:Win32/Zbot.gen!C may also create one or more mutexes using the following names:
__SYSTEM__23D80F10__
__SYSTEM__45A2F601__
__SYSTEM__64AD0625__
__SYSTEM__7F4523E5__
__SYSTEM__91C38905__
Note: This trojan may try to prevent its removal from the affected system by blocking access to its files, and by recreating its registry entries should they be deleted.
Payload
Steals Sensitive Data
TrojanSpy:Win32/Zbot.gen!C gathers information about the infected system, such as OS version, and language. It intercepts key strokes, network traffic and information stored in the clipboard by hooking various functions. It also contains the functionality to capture screenshots. Captured information may be uploaded to an FTP server.
TrojanSpy:Win32/Zbot.gen!C may try to contact a remote site in order to download a new configuration file. In the wild, we have observed this trojan contacting the golden-styl.org domain for this purpose. The trojan uses the configuration file to determine which various bank-related keywords it searches for in URLs and HTTP packets (and thus what information it captures).
Modifies Hosts File
TrojanSpy:Win32/Zbot.gen!C may modify the Windows Hosts file (located at <system folder>\drivers\etc\hosts). The local Hosts file overrides the DNS resolution of a web site URL to a particular IP address. Malicious software may make modifications to the Hosts file in order to redirect specified URLs to different IP addresses. Malware often modifies an affected machine's hosts file in order to stop users from accessing websites associated with particular security-related applications (such as antivirus for example).
Deletes Cookies
TrojanSpy:Win32/Zbot.gen!C may try to delete all cookies stored by Internet Explorer in the URL cache so that users are forced to retype their passwords (should they be cached).
Additional Information
TrojanSpy:Win32/Zbot.gen!C may check for the presence of the following processes:
These processes would generally be associated with particular personal firewall applications.
This trojan may also make the following further modifications to the registry:
Adds value: "UID"
With data: "[COMPUTERNAME]_[UNIQUE_ID]"
To subkey: HKLM\Software\microsoft\windows nt\currentversion\network\
Adds value: "{6780A29E-6A18-0C70-1DFF-1610DDE00108}
To subkey: HKCU\Software\microsoft\windows\currentversion\explorer\
Adds value: "{F710FA10-2031-3106-8872-93A2B5C5C620}"
To subkey: HKCU\Software\microsoft\windows\currentversion\explorer\
