Trojan:Win32/Zbot.CJ is a password stealing trojan with remote access functionality. This trojan may inject code into running processes and download files from a predefined Web site. In the wild, this trojan has been observed distributed in spam e-mail messages as an attachment named "World_CONFR.zip".
Installation
Upon execution of the trojan, it drops a copy of itself as the following:
<system folder>\sdra64.exe
The registry is modified to execute the dropped copy at each Windows start.
Adds value: "userinit"
With data: "<system folder>\userinit.exe,<system folder>\sdra64.exe,"
To subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
When ‘sdra64.exe ' executes, it injects code and creates a remote thread in the running process 'WINLOGON.EXE'. The code injected into 'WINLOGON.EXE' then injects other code into other running process such as the following:
svchost.exe
smss.exe
services.exe
lsass.exe
explorer.exe
wuauclt.exe
Payload
Sets Internet Explorer Start Page to Null Value
Some variants of this trojan delete the stored "Start Page" for Internet Explorer resulting in a user seeing a blank page when starting the Internet browser.
Modifies value: "Start Page"
With data: ""
To subkey: HKCU\Software\Microsoft\Internet Explorer\Main
Steals Sensitive Data
PWS:Win32/Zbot.M attempts to steal the following sensitive information from the system:
certificates
cached passwords
cookies
The trojan also creates the following encrypted log file under a hidden directory:
<system folder>\lowsec\user.ds
Backdoor Functionality
Trojan:Win32/Zbot.CJ may download a configuration file from the Internet website 'bklinkov.ru' using TCP port 80 for additional instructions from a remote attacker. In the wild, this trojan was observed attempting to connect to IP address 10.0.0.104 using TCP port 139 and may open and listen on a random TCP ports (such as 23309, 24677, 32484) to await instructions from an attacker.
Additional Information
Trojan:Win32/Zbot.CJ may make additional registry changes including the following:
Adds value: "UID"
With data: "<machine specific>"
To subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Network
Adds value: "{3039636B-5F3D-6C64-6675-696870667265}"
With data: "<random hexadecimal characters>"
To subkey: HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\
Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
Adds value: "{3039636B-5F3D-6C64-6675-696870667265}"
With data: "<random hexadecimal characters>"
To subkey: HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\
Explorer\{35106240-D2F0-DB35-716E-127EB80A0299}
Adds value: "ParseAutoexec"
With data: "1"
To subkey: HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Analysis by Lena Lin