PWS:Win32/Zbot.XD is a password-stealing trojan that contains limited backdoor functionality. It is capable of stealing login credentials for certain sites, cached passwords, and information contained in certificates and cookies. It is often distributed as an attachment to spam e-mail messages.
Installation
PWS:Win32/Zbot.XD may arrive in the system as a spammed e-mail message, such as the folowing:
Subject: Western Union Transfer MTCN: 3131495416
Attachment: MTCN_NR8621982.zip
Dear client!
The money transfer you have sent on the 13th of March hasn't been collected by the recipient.
Due to the Western Union contract the transfers which are not collected in 30 days are to be returned to sender.
To collect money you need to print the invoice attached to this email and visit the nearest Western Union office.
Thank you!
When executed, the attachment, which is detected as PWS:Win32/Zbot.XD, drops a copy of itself in the system as the following:
<system folder>\sdra64.exe
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
It also modifies the system registry so that it executes the trojan copy every time Windows starts:
Modifies value: "userinit"
With data: "<system folder>\userinit.exe,<system folder>\sdra64.exe,"
To subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
When sdra64.exe is executed, it injects code and creates a remote thread in the process winlogon.exe. The code injected into winlogon.exe then injects other code into running process such as the following:
svchost.exe
smss.exe
services.exe
lsass.exe
explorer.exe
Payload
Steals sensitive data
PWS:Win32/Zbot.XD attempts to steal the following sensitive information from the system:
- certificates
- cached passwords
- cookies
It writes the stolen data into the following encrypted log file under a hidden directory:
<system folder>\lowsec\user.ds
Performs backdoor functionalities
PWS:Win32/Zbot.XD may download a configuration file from the Web site 'bklinkov.ru' for additional instructions from a remote attacker. This configuration file may contain commands that the trojan performs on the system.
Additional Information
PWS:Win32/Zbot.XD may make additional registry changes such the following:
Adds value: "UID"
With data: "<machine specific string>"
To subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Network
Analysis by Elda Dimakiling