Installation
These trojans are often installed by other malware. In the wild, some variants were observed bundled with an exploit detected as Exploit:Win32/CplLnk.B. The trojan could be sent as an attachment to a spammed email message such as in the following examples:
Example 1:
From: <delivery@dhl.com>
To: <recipient>
Date: 12/3/2010 4:53:46 AM
Subject: DHL Failure Delivery Notification Message
Attachment: "SN_122010.zip" (contains "kss.exe")
Example 2:
Example 3:
From: <jim.larkin@careerbuilder.com>
To: <recipient>
Date: 11/29/2010 2:12:31 PM
Subject: Re: invoice
Attachment: "invoice.zip" (contains "invoice.scr")
Here is the invoice you requested
Thank you,
Jim Larkin
Careerbuilder Customer Care Department
When it runs, PWS:Win32/Zbot.gen!Y drops a modified copy of itself as a randomly named file:
%APPDATA%\<random letters>\<random letters>.exe
For example:
c:\Documents and Settings\Administrator\Application Data\dopyq\ruro.exe
The registry is modified to run the malware each time you start your computer:
In subkey: HKCU\Software\Microsoft\Windows\Currentversion\Run
Sets value: "{GUID of Windows volume}"
With data: "%APPDATA%\<random letters>\<random letters>.exe"
If running within a terminal server session, the trojan drops and runs a copy of itself as a randomly named file into one of the following folders:
- <drive:>\documents and settings\default user\
- <drive:>\users\default\
- <drive:>\documents and settings\<user name>\
- <drive:>\users\<user name>\
The malware injects codes into the address space of the following processes to hide itself from security software:
- ctfmon.exe
- explorer.exe
- rdpclip.exe
- taskeng.exe
- taskhost.exe
- winlogon.exe
- wscntfy.exe
In newer variants, instead of selecting processes, PWS:Win32/Zbot.gen!Y injects code into the address space of all running processes matching the privilege of the currently logged on user. For example, if you are logged on as an administrator, the trojan will inject its code into all administrator-level processes, such "winlogon.exe", "smss.exe" and so on.
Otherwise, the trojan will inject its code into all user-level processes, such as "explorer.exe", "iexplore.exe" and so on.
PWS:Win32/Zbot.gen!Y also hooks the following Windows system APIs to help it steal sensitive information:
- BeginPaint
- CallWindowProcA
- CallWindowProcW
- closesocket
- DefDlgProcA
- DefDlgProcW
- DefFrameProcA
- DefFrameProcW
- DefMDIChildProcA
- DefMDIChildProcW
- DefWindowProcA
- DefWindowProcW
- EndPaint
- GetCapture
- GetClipboardData
- GetCursorPos
- GetDC
- GetDCEx
- GetFileAttributesExW
- GetMessageA
- GetMessagePos
- GetMessageW
- GetUpdateRect
- GetUpdateRgn
- GetWindowDC
- HttpQueryInfoA
- HttpSendRequestA
- HttpSendRequestExA
- HttpSendRequestExW
- HttpSendRequestW
- InternetCloseHandle
- InternetQueryDataAvailable
- InternetReadFile
- InternetReadFileExA
- OpenInputDesktop
- PeekMessageA
- PeekMessageW
- PFXImportCertStore
- RegisterClassA
- RegisterClassExA
- RegisterClassExW
- RegisterClassW
- ReleaseCapture
- ReleaseDC
- send
- SetCapture
- SetCursorPos
- SwitchDesktop
- TranslateMessage
- WSASend
PWS:Win32/Zbot.gen!Y hooks the following additional APIs to support FireFox:
- PR_Close
- PR_OpenTCPSocket
- PR_Read
- PR_Write
Payload
Infects files
PWS:Win32/Zbot.gen!Y can attempt to infect executable files so that it can then infect other PCs that use infected removable, fixed, shared or remote drives. The trojan has been observed infecting files in the following locations:
-
<drive:>\documents and settings\<user name>\application data\
-
<drive:>\users\<user name>\appdata\roaming\
-
<drive:>\program files\
-
<drive:>\program files (x86)\
-
-
%windir%\system32\
Infected files are detected as Virus:Win32/Zbot.B or Virus:Win32/Zbot.C.
Steals sensitive information
The trojan collects FTP credentials (IP, port, user name, and passwords) from the following FTP software:
- CoreFTP
- FAR/FAR2
- FileZilla
- FlashFXP
- FTP Commander
- SmartFTP
- Total Commander
- winscp
- ws_ftp
PWS:Win32/Zbot.gen!Y steals the following sensitive information from your PC:
The trojan also logs keystrokes and gets a snapshot of your PC.
Steals Outlook Mail credentials
If running on Windows XP and below, PWS:Win32/Zbot.gen!Y uses COM libraries "msoeacct.dll" and "wab32.dll" to capture Outlook Mail details, such as:
- Account name
- Email address
- Server
- User name
- Password
The DLL files are searched in the directory defined in the registry key below:
HKLM\SOFTWARE\Microsoft\WAB\DLLPath\
Otherwise, if running on Windows Vista and above, the trojan captures the credentials by parsing the email folder, specified in this registry subkey:
HKCU\SOFTWARE\Microsoft\Windows Mail\Store Root\
Steals "Full Tilt Poker" credentials
PWS:Win32/Zbot.gen!Y can capture logon credentials for the online gaming program "Full Tilt Poker". The trojan resets logon data by deleting the following registry value:
HKCU\Software\Full Tilt Poker\UserInfo\UserName
The trojan then monitors for logon activity for the game, and captures any credentials you use.
Lowers Internet Explorer web browser security
PWS:Win32/Zbot.gen!Y lowers Internet Explorerweb browser security settings by making the following changes to the registry:
Disables phishing filtering:
In subkey: HKCU\Software\Microsoft\Internet Explorer\PhishingFilter
Sets value: "Enabled"
With data: "0"
Sets value: "EnabledV8"
With data: "0"
Prevents the removal of expired Internet Explorer browser cookies:
In subkey: HKCU\Software\Microsoft\Internet Explorer\Privacy
Sets value: "CleanCookies"
With data: "0"
Lowers Internet Explorer Internet zone security settings:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
Set value: "1609"
With data: "0"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Sets value: "1406"
With data: "0"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
Sets value: "1609"
With data: "0"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Sets value: "1406"
With data: "0"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
Sets value: "1406"
With data: "0"
Lowers Firefox web browser security
PWS:Win32/Zbot.gen!Y can modify settings for the web browser Mozilla Firefox including the following:
- Disable the clearing of Internet cookies
- Disable the display of warning messages when viewing mixed secured and unsecure webpages
- Disable the display of warning messages when submitting data to unsecure pages
Allows remote access and control
PWS:Win32/Zbot.gen!Y allows varying degrees of remote access and control, depending on the information in the configuration file.
The trojan could perform, but is not limited to, any of the following actions:
- Reboot/shut down your computer
- Uninstall Zbot
- Update Zbot and its configuration file
- Search and remove files and directories
- Log you off your computer
- Run a program
- Steal or delete Internet Explorer cookies
- Steal or delete certificates
- Block or unblock URLs
- Change the Internet Explorer homepage
- Steal your FTP credentials
- Steal your email login credentials
- Steal your Flash Player credentials
Downloads files
PWS:Win32/Zbot.gen!Y hooks APIs used by Internet Explorer and Mozilla Firefox to steal login credentials when you visit certain websites. Earlier variants of PWS:Win32/Zbot.gen!Y download a configuration file from a remote server (for example, "dairanet.cn") and captured data will be sent to a predefined FTP or email server.
Newer variants of this malware generate up to 1020 pseudo-randomly named domains and attempt connections with the generated list to download a configuration file. The generated domain names are based on your computer's date and time and have one of the following suffixes:
- .biz
- .com
- .info
- .net
- .org
The configuration file contains data used by the malware such as the following:
-
URL to download updates for PWS:Win32/Zbot.gen!Y
-
URL for additional configuration data files to download
-
Version number of the bot that distributes the malware
-
URL of targeted online financial institutions
-
HTML and JavaScript code for parsing target webpages
Analysis by Rodel Finones
