PWS:Win32/Zbot.AHD

PWS:Win32/Zbot.AHD is trojan that allows unauthorized access and control of your computer, and steals your valuable information, such as passwords.  PWS:Win32/Zbot.AHD is created by kits known as "Zeus" which are bought and sold on the black market.

Installation

When PWS:Win32/Zbot.AHD is executed, it creates a modified copy of itself with a randomly-generated file name in the following location:

%APPDATA%\<random letters>\<random letters>.exe  

For example:

c:\documents and settings\administrator\application data\eqepys\ruynn.exe

Note: %APPDATA% refers to a variable location that is determined by the malware by querying the operating system. The default location for the %APPDATA% folder for Windows 2000, XP, and 2003 is 'C:\Documents and Settings\<user>\Application Data'. For Windows Vista, 7 and W8, the default location is 'C:\Users\<user>\AppData\Roaming'.

It then modifies the registry to ensure that this copy is executed at each Windows start:
 
To subkey: HKCU\Software\Microsoft\Windows\Currentversion\Run
Sets value: "{GUID of Windows volume}"
With data: "%APPDATA%\<random letters>\<random letters>.exe"

For example:

To subkey: HKCU\Software\Microsoft\Windows\Currentversion\Run
Sets value: {F38B3E05-4020-AD7D-5A64-4EC179C86DD3}" "
With data: "c:\documents and settings\administrator\application data\eqepys\ruynn.exe"

PWS:Win32/Zbot.AHD also creates copies of itself in the default user startup folder:

<DefaultUserPath>\Programs\Startup\<random letters>.exe

Examples for <DefaultUserPath> are:

• C:\Documents and Settings\Default user\
• C:\Users\Default\
• C:\Documents and Settings\<User name>\
• C:\Users\<User name>\

PWS:Win32/Zbot.AHD injects code into all the current user's running processes. This behavior is intended to hide the trojan's behavior from security applications.

It also hooks the following Windows system APIs to aid in the capture of sensitive data, such online banking and shopping passwords, email credentials and network information:

SSLEAY32.DLL

• SSL_write
• SSL_read 

SECUR32.DLL

• DeleteSecurityContext
• EncryptMessage
• DecryptMessage

NSPR.DLL

• PR_OpenTCPSocket
• PR_Close
• PR_Poll
• PR_Read
• PR_Write 

NTDLL.DLL

• NtCreateUserProcess
• NtCreateThread
• RtlUserThreadStart
• LdrLoadDll 

KERNEL32.DLL

• GetFileAttributesExW  

WININET.DLL

• InternetCloseHandle
• HttpSendRequestA
• HttpSendRequestW
• HttpSendRequestExA
• HttpSendRequestExW
• InternetWriteFile
• InternetReadFile
• InternetReadFileExA
• InternetReadFileExW
• InternetQueryDataAvailable
• HttpQueryInfoA
• HttpQueryInfoW 

WS2_32.DLL

• closesocket
• send
• WSASend
• recv
• WSARecv
• WSAGetOverlappedResult  

GDI32.DLL

• OpenInputDesktop
• SwitchDesktop
• DefWindowProcW
• DefWindowProcA
• DefDlgProcW
• DefDlgProcA
• DefFrameProcW
• DefFrameProcA
• DefMDIChildProcW
• DefMDIChildProcA
• CallWindowProcW
• CallWindowProcA
• RegisterClassW
• RegisterClassA
• RegisterClassExW
• RegisterClassExA 

USER32.DLL

• BeginPaint
• EndPaint
• GetDCEx
• GetDC
• GetWindowDC
• ReleaseDC
• GetUpdateRect
• GetUpdateRgn
• GetMessagePos
• GetCursorPos
• SetCursorPos
• SetCapture
• ReleaseCapture
• GetCapture
• GetMessageW
• GetMessageA
• PeekMessageW
• PeekMessageA
• TranslateMessage
• GetClipboardData  

CRYPT32.DLL

•  PFXImportCertStore 

Spreads via...

Remote Desktop Service

PWS:Win32/Zbot.AHD attempts to spread to other computers that might be remotely connected to your computer using the Remote Desktop Service (RDS).

If your computer is running a Remote Desktop Service, Zbot may attempt to execute a process for every connected RDS session and create a copy of itself in the startup folder:

%RDSUserProfilePath%\Start Menu\Programs\Startup\<random letters>.exe

Payload

Allows remote access and control

PWS:Win32/Zbot.AHD allows varying degrees of remote access and control of your computer depending on how it has been configured. Once installed, PWS:Win32/Zbot.AHD downloads a configuration file from a remote server that determines how it will behave.

PWS:Win32/Zbot.AHD generates up to 1020 pseudo-randomly named domains, and attempts connecting to the generated list to download the configuration file. The generated domain names are based on your system's date and time and use one of the following suffixes:

.com
.net
.org
.info
.biz
.ru 

Some examples include:

tsljnihhusyxzddltpci.net
hbixougjfqxkftswinlfbars.org
dhqwyelbpndaqwljampjsoea.info
rvowslrmvnfkblkfyttpfemwx.com
ofvgupbpsgaumfvkbuobevceuv.ru
jvklraqgyofcqhikfbazlltauhi.biz 

The configuration file contains data used by the malware in order to perform its data-stealing payload, including:

• Locations to download updates of PWS:Win32/Zbot from
• Locations to download additional data files from
• The version of the malware
• Online financial institutions to target
• HTML and JavaScript code for performing its data stealing payload

Recent variants of this malware use a decentralized peer-to-peer (P2P) communication method in order to receive commands from a remote attacker, download updates and configuration files, and upload stolen information. Older variants used a centralized command and control method (thus reaching out to a single specific server to receive instruction).

Using this access, a remote attacker could perform any of the following actions on your computer:

• Reboot or shut down your computer
• Uninstall Zbot
• Update Zbot and its configuration file
• Search or remove files and directories
• Log you off your computer
• Run a program
• Steal or remove Internet Explorer browser cookies
• Steal or delete certificates
• Block or unblock URLs
• Change the Internet Explorer home page
• Steal your FTP credentials
• Steal your email login credentials
• Steal credentials stored by Macromedia Flash Player by parsing "flashplayer.cab" with SOL (Flash Local Shared Object File) files located at “%APPDATA%\Macromedia\Flash Player”
• Remove Macromedia Flash Player files located at “%APPDATA%\Macromedia\Flash Player".

Steals sensitive information

PWS:Win32/Zbot.AHD hooks APIs used by Internet Explorer and Mozilla Firefox. It does this to monitor the activities you perform online and steal your data. It also injects HTML code into particular websites to enable it to capture and steal your credentials when you visit these website and log in.

The trojan steals the following sensitive information from your computer:

• Digital certificates
• Cached passwords
• Logged keystrokes
• Screen and window image captures
• Passwords and other details (such as credit card numbers) as you enter them to targeted websites

We've observed Zbot targeting the following websites in this way:

amazon.com
blogger.com
flickr.com
livejournal.com
myspace.com
youtube.com
microsoft.com
facebook.com
ktt.key.com/ktt/cmd/logonFromKeyCom
ktt.key.com/ktt/cmd/validatePinForm
feedback.ebay.com/ws/eBayISAPI.dll?ViewFeedback&
us.hsbc.com

Steals Windows Mail and Windows Live mail credentials

If your computer is running on Windows XP or below, Win32/Zbot uses the COM libraries "msoeacct.dll" and "wab32.dll" to capture the following details:

• Your Windows mail account name
• Your email address
• Email server
• Your user name
• Your password

Otherwise, if you are running Windows Vista or above, the trojan captures the credentials by parsing the Windows mail folder, specified in this registry subkey:

HKCU\SOFTWARE\Microsoft\Windows Mail\Store Root\

Related encyclopedia entries

Win32/Bredolab

Win32/Cutwail

Win32/Kelihos

Win32/Waledac

Exploit:Win32/CplLnk

Blacole

Win32/Zbot

Analysis by Rodel Finones