PWS:Win32/Zbot.NK is a password stealing trojan. Win32/Zbot also contains backdoor functionality that allows unauthorized access and control of an affected machine.
Installation
When executed, PWS:Win32/Zbot.NK copies itself with a variable file name to the System directory, for example:
<system folder>\ntos.exe
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
It modifies the registry to execute this copy at each Windows start:
Sets value: "userinit"
With data: "<system folder>\userinit.exe,<system folder>\<malware filename>,"
To subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
For example:
Sets value: "userinit"
With data: "<system folder>\userinit.exe,<system folder>\ntos.exe"
To subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Many Zbot variants utilize code injection in order to hinder detection and removal. When PWS:Win32/Zbot.NK executes, it may inject code into the running process 'winlogon.exe', which in turn injects code into other running processes, including the following, for example:
- explorer.exe
- lsass.exe
- services.exe
- smss.exe
- svchost.exe
- winlogon.exe
PWS:Win32/Zbot.NK may also create the following additional files on an affected machine:
- <system folder>\wsnpoem\audio.dll
- <system folder>\wsnpoem\video.dll.cla
Payload
Steals sensitive information
The Zbot family of malware is used to obtain sensitive information from the affected system, such as:
- Trusted Web site certificates
- Cached Web browser passwords
- Cookies
Note: Many Zbot variants specifically target the websites of Bank of America.
Variants of Zbot may also parse e-mail and FTP traffic in order to obtain e-mail addresses and FTP login details.
Contacts remote site for instruction/Downloads and executes arbitrary files
After installation, PWS:Win32/Zbot.NK attempts to contact the remote site msdownloads.net via port 80 in order to download additional instructions (which may be in the form of a configuration file) and/or arbitrary files to execute.
Allows remote backdoor access and control
Zbot can be instructed to perform a host of actions by a remote attacker, including the following:
- Rename itself
- Obtain certificates and other stolen information
- Block specified URLs
- Download and execute arbitrary files
- Establish a Socks proxy
Modifies system security settings
PWS:Win32/Zbot.NK may modify the following registry entry in order to attempt to disable the firewall:
Sets value: "EnableFirewall"
With data: "0"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
Additional Information
PWS:Win32/Zbot.NK may make the following additional registry modifications:
Sets value: "UID"
With data: "avm<machine specific ID>"
To subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Network
Sets value: "ParseAutoexec"
With data: "1"
To subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Analysis by Matt McCormack