Installation
When run, PWS:Win32/Zbot.gen!AF drops a copy of itself as a randomly named file in the following format:
-
%APPDATA%\<random letters>\<random letters>.exe - for example, "C:\Documents and Settings\Administrator\Application Data\ecymy\huojq.exe"
The registry is modified to run the trojan at each Windows start.
In subkey: HKCU\Software\Mirosoft\Windows\CurrentVersion\Run
Sets value: "{GUID of Windows volume}"
With data: "%APPDATA%\<random letters>\<random letters>.exe"
This trojan injects code into the address space of all running processes matching the security privilege of the logged on user, otherwise the malware will inject its code into all user-level processes (such as "Explorer.exe", "Iexplore.exe" and so on).
Note: Code injection is commonly used by malware as an attempt to hide from security software.
PWS:Win32/Zbot.gen!AF hooks the following Windows system APIs to aid in the capture of sensitive data such as login credentials for online financial transactions, email credentials and network information:
- NSPR.DLL
PR_OpenTCPSocket
PR_Close
PR_Poll
PR_Read
PR_Write
- NTDLL.DLL
ZwCreateThread
LdrLoadDll
- KERNEL32.DLL
GetFileAttributesExW
- WININET.DLL
HttpSendRequestW
HttpSendRequestA
HttpSendRequestExW
HttpSendRequestExA
InternetCloseHandle
InternetReadFile
InternetReadFileExA
InternetQueryDataAvailable
HttpQueryInfoA
InternetSetStatusCallbackW
InternetSetStatusCallbackA
InternetSetOptionA
- WS2_32.DLL
closesocket
send
WSASend
recv
WSARecv
- GDI32.DLL
OpenInputDesktop
SwitchDesktop
DefWindowProcW
DefWindowProcA
DefDlgProcW
DefDlgProcA
DefFrameProcW
DefFrameProcA
DefMDIChildProcW
DefMDIChildProcA
CallWindowProcW
CallWindowProcA
RegisterClassW
RegisterClassA
RegisterClassExW
RegisterClassExA
- USER32.DLL
BeginPaint
EndPaint
GetDCEx
GetDC
GetWindowDC
ReleaseDC
GetUpdateRect
GetUpdateRgn
GetMessagePos
GetCursorPos
SetCursorPos
SetCapture
ReleaseCapture
GetCapture
GetMessageW
GetMessageA
PeekMessageW
PeekMessageA
TranslateMessage
GetClipboardData
- CRYPT32.DLL
PFXImportCertStore
PWS:Win32/Zbot.gen!AF could install its code to other PCs when connected via Remote Desktop Services (RDS). If the affected computer is running RDS, the malware attempts to execute a process for every connected RDS session and drops a copy of the trojan into the following directories:
-
<drive:>\documents and settings\default user\
-
<drive:>\users\default\
-
<drive:>\documents and settings\<user name>\
-
<drive:>\users\<user name>\
Payload
Lowers Internet Explorer security
PWS:Win32/Zbot.gen!AF lowers Internet Explorer web browser security settings by modifying registry data.
- Disables phishing filtering:
In subkey: HKCU\Software\Microsoft\Internet Explorer\PhishingFilter
Sets value: "Enabled"
With data: "0"
Sets value: "EnabledV8"
With data: "0"
- Disables system behavior to remove expired Internet Explorer browser cookies:
In subkey: HKCU\Software\Microsoft\Internet Explorer\Privacy
Sets value: "CleanCookies"
With data: "0"
- Lowers Internet Explorer Internet zone security settings
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
Set value: "1609"
With data: "0"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Sets value: "1406"
With data: "0"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
Sets value: "1609"
With data: "0"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Sets value: "1406"
With data: "0"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
Sets value: "1406"
With data: "0"
Lowers Firefox web browser security
PWS:Win32/Zbot.gen!AF could modify settings for the web browser Mozilla Firefox including the following:
- Disable the clearing of Internet cookies
- Disable warning messages that are displayed when viewing mixed secured and unsecure web pages
- Disable warning messages that are displayed when submitting data to unsecure pages
Downloads configuration data
Earlier variants of PWS:Win32/Zbot.gen download a configuration file from a remote server (for example, "dairanet.cn"). Newer variants of this malware generate a list of up to 1020 pseudo-randomly named domains and attempt connections with each to download a configuration file. The list of domain names that are generated are based on the system date and time, and also have one of the following suffixes:
-
.com
-
.net
-
.org
-
.info
-
.biz
Examples include some of the following:
-
ghdukiopkkljbdyy <dot> com/news/?s=<random set of numbers>
-
sdynjotsnjpojl <dot> biz/news/?s=<random set of numbers>
-
kkrtfpqrsnslo <dot> net/news/?s=<random set of numbers>
-
kkrtfpqrsnslo <dot> com/news/?s=<random set of numbers>
-
nppuxmsnpfnkpphr <dot> info/news/?s=<random set of numbers>
-
nppuxmsnpfnkpphr <dot> com/news/?s=<random set of numbers>
-
mqjowjsgrpvmpr <dot> biz/news/?s=<random set of numbers>
-
mqjowjsgrpvmpr <dot> org/news/?s=<random set of numbers>
The configuration file contains data used by the malware, or instructions, such as the following:
- URL to download updates of PWS:Win32/Zbot.gen!AF
- URL for additional configuration data files to download
- bot build version
- URL of targeted online financial institutions
- HTML and JavaScript code for parsing target web pages
- Steal sensitive data
Captures sensitive information
PWS:Win32/Zbot.gen!AF hooks APIs used by Internet Explorer and Mozilla Firefox to steal login credentials when a user visits certain websites. The trojan also steals the following sensitive information fromyour PC:
- Digital certificates
- IE cookies
- Cached passwords
The trojan also logs keystrokes and gets a snapshot of the infected system. Captured data is sent to a predefined FTP or email server, specified in a downloaded configuration file, for collection by a remote attkacker.
Allows remote access and control
Some variants of this malware can perform the following actions, depending on the information in the downloaded configuration data file:
- Reboot/shut down your PC
- Uninstall/update itself
- Enable/disable HTTP injection
- Traverse directory
- sSarch/remove files and directory
- Log off current user
- Run a program
- Steal Internet Explorer browser cookies
- Steal/delete certificates
- Block/unblock URLs
- Set Internet Explorer home page
- Steal FTP credentials
- Steal email login credentials
Analysis by Zarestel Ferrer