Threat behavior
PWS:Win32/Zbot.PI is a trojan password stealer that can may bypass installed firewall applications to send captured passwords to an attacker.
Installation
When run, this trojan creates a mutex named "_AVIRA_21099" to ensure only one instance is executing at a time. It copies itself as 'c:\Windows\system32\sdra64.exe' with file attributes of 'hidden', 'system' and 'archive' and modifies the registry to run the trojan copy at each Windows start.
Adds value: "userinit"
With data: "<system folder>\userinit.exe, c:\Windows\system32\sdra64.exe"
To subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Payload
Bypasses Firewall Applications
When executed, this trojan searches for the following applications associated with firewall and user Internet protection:
outpost.exe - Outpost Personal Firewall
zlclient.exe - ZoneLabs Firewall Client
The trojan creates a pipe "\\.\pipe\_AVIRA_2109" to bypass the above firewall applications and allow an attacker remote access.
Collects User Logon Credentials
This trojan will inject malicious code and create a remote thread in the Windows process 'WINLOGON.EXE'. The remote thread attempts to hook specific API calls to steal specific and sensitive user-entered information. The trojan may delete Internet cookies from the Internet Explorer URL cache so that users are required to re-insert passwords when logging into Websites requesting the credentials. Captured logon credentials are sent to an attacker.
Analysis by Tim Liu
Prevention
