Threat behavior
PWS:Win32/Zbot.gen!G is a password-stealing trojan that contains limited backdoor functionality.
Installation
When executed, PWS:Win32/Zbot.gen!G drops a copy of itself as the following:
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
It also drops the following files, containing encrypted data used by the trojan, under <system folder>\wsnpoem\:
It modifies the registry to ensure that its copy is executed at each Windows start:
Adds value: "userinit"
With data: "<system folder>\userinit.exe,<systemfolder>\ntos.exe"
To subkey: HKLM\Software\Microsoft\Windows NT\Currentversion\Winlogon
Zbot also hides its processes and registry entry to avoid detection.
It injects code into the following processes:
Payload
Steals Sensitive Data
PWS:Win32/Zbot.gen!G steals login credentials whenever a users logs on to the following sites:
- https://onlineeast#.bankofamerica.com/cgi-bin/ias/*/GotoWelcome
- https://www.e-gold.com/sci_asp/payments.asp
- WebMoney Keeper Classic user interface
It may also attempt to steal the following sensitive information from the affected system:
- certificates
- cached passwords
- cookies
Backdoor Functionality
PWS:Win32/Zbot.gen!G may download a configuration file from the Internet, containing any of the following commands:
- rename_bot
- getcerts
- getmff
- delmff
- block_url
- unblock_url
- block_fake
- unblock_fake
The commands can then be executed by Zbot.
Terminates Security Processes
PWS:Win32/Zbot.gen!G checks for the following security-related processes and terminates them if found:
- outpost.exe (executable for Outpost Firewall)
- zlclient.exe (executable for Zone Alarm Firewall)
Analysis by Francis Allan Tan Seng
Prevention
