PWS:Win32/Zbot.gen!AJ

Installation

Zbot.gen!AJ copies itself into a randomly named file, in the following format:

%APPDATA%\<random letters>\<random letters>.exe

The copy has extra, meaningless data to distinguish it from the original file.

Zbot.gen!AJ changes the following registry entry to ensure that its copy runs at each Windows start:

In subkey: HKCU\Software\Microsoft\Windows\Currentversion\Run
Sets value: "<random letters>", for example "Ryatper"
With data: "%APPDATA%\<random letters>\<random letters>.exe", for example "C:\Documents and Settings\Administrator\Application Data\iciz\uxqug.exe"

It injects code into targeted running processes that match your current user privileges. For example, if you're running as an administrator in your system, then this trojan runs as an asministrator, too.

The trojan also injects its code into all user-level processes, like explorer.exe and iexplore.exe. This behavior is intended to hide the trojan from security applications.

Some variants of Zbot.gen!AJ can arrive on your PC through Remote Desktop Service (RDS). They can also try to install themselves on other PCs that might be remotely connected to your PC using the RDS.

If your PC is running a Remote Desktop Service, Zbot tries to run a process for every connected RDS session and create a copy of itself in the startup folder of the RDS user:

<startup folder>\<random letters>.exe

Payload

Captures sensitive information

Zbot.gen!AJ hooks APIs used by Internet Explorer and Mozilla Firefox to steal sensitive data, like online banking, shopping, email and network credentials when you visit certain websites. There is a list of affected APIs in the Additional information section on this page.

The trojan steals the following sensitive information from your PC:

• Digital certificates
• Internet Explorer cookies
• Stored passwords

It uses a configuration file to determine the websites that it will steal from when you visit them.

The trojan also logs keystrokes and takes a screenshot of your PC.

The information it records is sent to a predefined FTP or email server for collection by a hacker. The server is specified in the configuration file.

Contacts remote host

Zbot.gen!AJ tries to connect to the following addresses to report its infection and download the configuration file:

• gabgraph.com/sopelka1/file.php
• rafaywa.com/sopelka1/file.php
• viernon.com/sopelka1/file.php

Lowers Internet browser security

PWS:Win32/Zbot lowers Internet Explorer Internet zone security settings by making the following changes to the registry:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
Sets value: "1609"
With data: "0"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Sets value: "1406"
With data: "0"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
Sets value: "1609"
With data: "0"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Sets value: "1406"
With data: "0"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
Sets value: "1406"
With data: "0"

Additional information

Zbot.gen!AJ hooks the following Windows system APIs:

• advapi32.dll:
• CreateProcessAsUserA
• CreateProcessAsUserW
  
  
• crypt32.dll:
• PFXImportCertStore
  
  
• gdi32.dll:
• CallWindowProcA
• CallWindowProcW
• DefDlgProcA
• DefDlgProcW
• DefFrameProcA
• DefFrameProcW
• DefMDIChildProcA
• DefMDIChildProcW
• DefWindowProcA
• DefWindowProcW
• OpenInputDesktop
• RegisterClassA
• RegisterClassExA
• RegisterClassExW
• RegisterClassW
• SwitchDesktop
  
  
• kernel32.dll:
• ExitProcess
• GetFileAttributesExW
  
  
• nspr.dll:
• PR_Close
• PR_OpenTCPSocket
• PR_Read
• PR_Write
• PR_GetNameForIdentity
  
  
• ntdll.dll:
• LdrLoadDll
• ZwCreateThread
  
  
• user32.dll:
• BeginPaint
• CallWindowProcA
• CallWindowProcW
• DefDlgProcA
• DefDlgProcW
• DefFrameProcA
• DefFrameProcW
• DefMDIChildProcA
• DefMDIChildProcW
• DefWindowProcA
• DefWindowProcW
• EndPaint
• GetCapture
• GetClipboardData
• GetCursorPos
• GetDC
• GetDCEx
• GetMessageA
• GetMessagePos
• GetMessageW
• GetUpdateRect
• GetUpdateRgn
• GetWindowDC
• OpenInputDesktop
• PeekMessageA
• PeekMessageW
• RegisterClassA
• RegisterClassExA
• RegisterClassExW
• RegisterClassW
• ReleaseCapture
• ReleaseDC
• SetCapture
• SetCursorPos
• SwitchDesktop
• TranslateMessage
  
  
• winmm.dll:
• PlaySoundA
• PlaySoundW
  
  
• wininet.dll:
• HttpEndRequestA
• HttpEndRequestW
• HttpOpenRequestA
• HttpOpenRequestW
• HttpQueryInfoA
• HttpSendRequestA
• HttpSendRequestExA
• HttpSendRequestExW
• HttpSendRequestW
• InternetCloseHandle
• InternetQueryDataAvailable
• InternetReadFile
• InternetReadFileExA
• InternetSetFilePointer
• InternetSetOptionA
• InternetSetStatusCallbackA
• InternetSetStatusCallbackW
  
  
• ws2_32.dll:
• closesocket
• getaddrinfo
• gethostbyname
• send
• WSASend

In the wild, we have observed this malware leaving messages to infected users in its code.

Related encyclopedia entries

PWS:Win32/Zbot

Analysis by Zarestel Ferrer