Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Zbot

Overview

Threat Risk MEDIUM MEDIUM
Destructivity Unknown UNKNOWN
Payload
Detection files published
Description created 20 Nov 2009 05:37:00
Description updated 20 Nov 2009 05:37:00
Malware type TROJAN
Alias Trojan.Zbot!gen
Trojan-Spy.Win32.Zbot.gen
Mal/Zbot-O
Mal/EncPk-CZ
PWS:Win32/Zbot.M
Spreading mechanism EMAIL
Summary

W32/Zbot

Spreading

n/a

Payload Details

On execution it copies itself into %windir%\system32 location and sets the file time as ntdll.dll file time. The file randomizes on execution by using GetTickCount API and gets the number of bytes to be added in the file to make its MD5 randomized. This file kills outpost.exe which is Outpost Personal Firewall and zlclient.exe from Zone Alarm Firewall if they are running.
This trojan appends its path to userinit in registry so that it can run on every system reboot.
Installation As the malware get executed, it copies itself into the following location: %system%wbem\csrss.exe Sets the value “CSRSS� in the registry key “Run� Injects into �Winlogon� with value “userinit� in order to start itself on every system start and then creates a folder named twain32 or lowsec which depends on the variant. svchost.exe is also injected with depending on the lowest PID it possesses, which is responsible for downloading configuration file and uploading information gathered (user credentials) from the host to remote server. Creates mutexes and named pipes for inter-process communication. There are several variants which had shown up and they might create either one of ntos.exe or twex.exe or sdra64.exe or userinit.exe in %system32% location (one of the main component of this family).

Analysis

[ DetectionInfo ] * Filename: C:\Documents and Settings\norman\Desktop\0337f3917acac5839622d0a1cad0c8be.exe. * Sandbox name: . * Signature name: NOT_SCANNED. * Compressed: NO. * TLS hooks: NO. * Executable type: Application. * Executable file structure: OK. * Filetype: PE_I386. [ General information ] * File length: 77030 bytes. * MD5 hash: 0337f3917acac5839622d0a1cad0c8be. [ Changes to filesystem ] * Creates directory C:\WINDOWS\system32\wbem\. * Creates file C:\WINDOWS\system32\n.ini. [ Process/window information ] * Creates a mutex dedf52. * Creates a mutex tgfhfgh6772.  

Removal

n/a


Last Updated: 12 Nov 2015 11:06:14