PWS:Win32/Zorbcray.gen!A is a trojan that attempts to steal users’ FTP account details and stored browser passwords, and send these to a remote server.
Installation
PWS:Win32/Zorbcray.gen!A runs from its original location, and may be installed by another piece of malware. It has been observed using filenames such as ftp[1].exe, <4-5 digit random number>.exe and a<4-5 digit random number>.exe.
It attempts to give itself access through the Windows Firewall by creating the following registry entry:
Under key: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\
Sets value: <Malware path/filename>
With data: "<Malware path/filename>:*:enabled:svchost",
It uses a mutex (e.g. "Mbobgbgbgbgbgbgbgbgbg") to ensure that no more than one copy of itself may run at a time.
Payload
Sends FTP account details and browser password details to remote server
The malware attempts to query the registry and configuration files to obtain stored passwords from Internet Explorer 7 and Mozilla Firefox.
It also attempts to open various configuration files or enumerate registry entries associated with a number of different FTP clients. Should the configuration files exist, it stores a copy of their entire contents.
FTP Clients and files targeted include the following:
Total Commmander
<windir>\wcx_ftp.ini
C:\totalcmd\wcx_ftp.ini
C:\wincmd\wcx_ftp.ini
%DocumentsAndSettings%\<username>\wcx_ftp.ini
%DocumentsAndSettings%\<username>\AppData\Roaming\GHISLER\wcx_ftp.ini
FlashFXP
%AllUsersAppData%\FlashFXP\3\Sites.dat
%UserAppData%\FlashFXP\3\Sites.dat
C:\Users\All Users\Application Data\FlashFXP\3\Sites.dat
FileZilla
%AllUsersAppData%\FileZilla\sitemanager.xml
%UserAppData%\FileZilla\sitemanager.xml
%ProgramFiles%\FileZilla\sitemanager.xml
C:\FileZilla\FileZilla\sitemanager.xml
Far FTP
The malware attempts to query the registry at HKCU\Software\Far\Plugins\FTP and retrieve the stored default password as well as host names, user names, and passwords for individual hosts.
Once all this information has been collected, it is posted to a remote server. At the time of publication, servers used had included the following:
- install-adobe-flash.com
- warnerbrazas.com
- fantomast.ru
Additional Information
PWS:Win32/Zorbcray.gen!A also attempts to obtain a User ID from a registry value at
HKCU\Software\Microsoft\Windows\CurrentVersion\SvchostID
If it is found, this ID is also sent to the remote server.
Analysis by David Wood
