McAfee > Theat Center > Virus Detail Page

Overview

Aliases

• Zeus

Characteristics

PWS-Zbot is a Trojan that steals online banking credentials and eventually sends them to a remote server.

-- Update August 13, 2010 --

A new variant of the Zbot malware family is seen being spammed. This update provides specific characteristics of this variant.

PWS-Zbot may have any of the following filenames. It is highly recommended that they are blocked at e-mail gateways and firewalls.

• fun bunch summer 2010.exe
• invite.exe
• resume.exe
• banquet invitations.exe
• car loan.exe
• cv july '10 finals.exe
• edmc application 2 07.exe
• f&r rehearsal.exe
• fun bunch summer 2010.exe
• labor distribution report.exe
• lance armstrong.exe
• morgan hunt.exe
• nh ess access guidelines.exe
• order_74hhdnsj3hex.exe
• online passport application for passport office.exe
• Allhotels.exe

Spammed emails may have the following as subjects:

• In USA on August 15 and 16
• Your reservation is confirmed - Ref: 12652/886645

Upon execution it creates a copy of itself with one of the following names:

• %WINDIR%\host32.exe
• %WINDIR%\system32.exe

These dropped files have a random amount of garbage added to its end, so their size may vary.

The following files are also created to store stolen information such as user keystrokes and web banking information.

• %WINDIR%\jh87uhnoe3\ewf32.nls
• %WINDIR%\jh87uhnoe3\ewfrvbb.nls

It modifies the following registry keys:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\host32.exe,"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32.exe,"

Creates the folowing registry keys:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network PID "%computername%"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\{61AE298E-1E2E-1083-BD89-63E91F7CB59D} = <4 bytes data>

It hooks several Windows functions (API), hiding the files mentioned above from a regular user's view.

It injects malicious code into the following processes in memory to monitor itself and restart in case any thread is removed or stopped by cleaning applications.

• lsass.exe
• services.exe
• Any process created after the infection

It lowers Internet Explorer security settings to allow any software to be executed in webpages without user knowledge. Please check the following link to understand the risk: http://support.microsoft.com/kb/182569

It opens a backdoor at a random and high numbered TCP port.

Some versions of this thread were observed to activate Windows Terminal Service daemon, and to patch the Microsoft Terminal Service DLL to disable authentication, opening the machine to any remote desktop client.

-- January 21, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2009/01/21/airline_ticket_malware_scam/

Generic Characteristics of the PWS-Zbot Family

The malicious program has the ability to steal login/password information from several services and program, including:

• FTP communication
• HTTP authentication
• HTTP cookies
• user digital certificates
• FTP clients configuration (FlashFXP, SmartFTP, WinSCP, Far Manager, WS_FTP, etc)
• can capture screenshots

It add or modify the following registry keys:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID = "MACHINE_NAME"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "%WINDIR%\system32\userinit.exe,%WINDIR%\system32\sdra64.exe,"
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\F710FA10-2031-3106-8872-93A2B5C5C620} = F7 09 F2 0D
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = 0x00000000

The program inject malicious code into the winlogon.exe and svchost.exe processes.

The Windows firewall is disabled.

The following files or directories are created:

• %WINDIR%\system32\lowsec\local.ds (data file) 
• %WINDIR%\system32\lowsec\user.ds (data file) 
• %WINDIR%\system32\lowsec\user.ds.lll (data file) 
• %WINDIR%\system32\sdra64.exe (PWS-Zbot) 
• %WINDIR%\system32\ntos.exe 
• %WINDIR%\system32\wsnpoem\audio.dll 
• %WINDIR%\system32\wsnpoem\video.dll
• %Root%\RECYCLER\S-1-5-21-4616592079-8080907928-828616482-2104
• Sysdate.exe 
• Wuaclt.exe
• %Root%\Temp[random numeral]
• autorun.inf (in external drives)
• desktop.ini (in external drives)
• [Filename similar to valid Windows applications].exe

(Where %WINDIR refers to the directory where Windows is installed. For Windows XP, this usually means C:\Windows)

It creates a MUTEX named _AVIRA_2108 inside svchost.exe and _AVIRA_2109 inside winlogon.exe

The malware also listen for connections on a high TCP port. The following ports have been observed in this variant:

• TCP/21957
• TCP/16629

Contact may also be initiated with the following domains over UDP 11223:

• butterfly.[removed].biz 
• butterfly.[removed].es 
• qwertasdfg.[removed].es

It tries to download a configuration file from external site such as the following:

• hxxp://hiho[removed].com/httpd/loc.so

Some variants are observed to spread through removable drives by creating an autorun.inf file, which will then run the worm automatically if the system is set to Autorun.

Symptoms

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

• Spy-Agent.bw

All Information

Overview -

PWS-Zbot is a Trojan that steals online banking credentials and eventually sends them to a remote server.

Aliases

• Zeus

Characteristics

Characteristics -

PWS-Zbot is a Trojan that steals online banking credentials and eventually sends them to a remote server.

-- Update August 13, 2010 --

A new variant of the Zbot malware family is seen being spammed. This update provides specific characteristics of this variant.

PWS-Zbot may have any of the following filenames. It is highly recommended that they are blocked at e-mail gateways and firewalls.

• fun bunch summer 2010.exe
• invite.exe
• resume.exe
• banquet invitations.exe
• car loan.exe
• cv july '10 finals.exe
• edmc application 2 07.exe
• f&r rehearsal.exe
• fun bunch summer 2010.exe
• labor distribution report.exe
• lance armstrong.exe
• morgan hunt.exe
• nh ess access guidelines.exe
• order_74hhdnsj3hex.exe
• online passport application for passport office.exe
• Allhotels.exe

Spammed emails may have the following as subjects:

• In USA on August 15 and 16
• Your reservation is confirmed - Ref: 12652/886645

Upon execution it creates a copy of itself with one of the following names:

• %WINDIR%\host32.exe
• %WINDIR%\system32.exe

These dropped files have a random amount of garbage added to its end, so their size may vary.

The following files are also created to store stolen information such as user keystrokes and web banking information.

• %WINDIR%\jh87uhnoe3\ewf32.nls
• %WINDIR%\jh87uhnoe3\ewfrvbb.nls

It modifies the following registry keys:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\host32.exe,"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32.exe,"

Creates the folowing registry keys:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network PID "%computername%"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\{61AE298E-1E2E-1083-BD89-63E91F7CB59D} = <4 bytes data>

It hooks several Windows functions (API), hiding the files mentioned above from a regular user's view.

It injects malicious code into the following processes in memory to monitor itself and restart in case any thread is removed or stopped by cleaning applications.

• lsass.exe
• services.exe
• Any process created after the infection

It lowers Internet Explorer security settings to allow any software to be executed in webpages without user knowledge. Please check the following link to understand the risk: http://support.microsoft.com/kb/182569

It opens a backdoor at a random and high numbered TCP port.

Some versions of this thread were observed to activate Windows Terminal Service daemon, and to patch the Microsoft Terminal Service DLL to disable authentication, opening the machine to any remote desktop client.

-- January 21, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2009/01/21/airline_ticket_malware_scam/

Generic Characteristics of the PWS-Zbot Family

The malicious program has the ability to steal login/password information from several services and program, including:

• FTP communication
• HTTP authentication
• HTTP cookies
• user digital certificates
• FTP clients configuration (FlashFXP, SmartFTP, WinSCP, Far Manager, WS_FTP, etc)
• can capture screenshots

It add or modify the following registry keys:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID = "MACHINE_NAME"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "%WINDIR%\system32\userinit.exe,%WINDIR%\system32\sdra64.exe,"
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\F710FA10-2031-3106-8872-93A2B5C5C620} = F7 09 F2 0D
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = 0x00000000

The program inject malicious code into the winlogon.exe and svchost.exe processes.

The Windows firewall is disabled.

The following files or directories are created:

• %WINDIR%\system32\lowsec\local.ds (data file) 
• %WINDIR%\system32\lowsec\user.ds (data file) 
• %WINDIR%\system32\lowsec\user.ds.lll (data file) 
• %WINDIR%\system32\sdra64.exe (PWS-Zbot) 
• %WINDIR%\system32\ntos.exe 
• %WINDIR%\system32\wsnpoem\audio.dll 
• %WINDIR%\system32\wsnpoem\video.dll
• %Root%\RECYCLER\S-1-5-21-4616592079-8080907928-828616482-2104
• Sysdate.exe 
• Wuaclt.exe
• %Root%\Temp[random numeral]
• autorun.inf (in external drives)
• desktop.ini (in external drives)
• [Filename similar to valid Windows applications].exe

(Where %WINDIR refers to the directory where Windows is installed. For Windows XP, this usually means C:\Windows)

It creates a MUTEX named _AVIRA_2108 inside svchost.exe and _AVIRA_2109 inside winlogon.exe

The malware also listen for connections on a high TCP port. The following ports have been observed in this variant:

• TCP/21957
• TCP/16629

Contact may also be initiated with the following domains over UDP 11223:

• butterfly.[removed].biz 
• butterfly.[removed].es 
• qwertasdfg.[removed].es

It tries to download a configuration file from external site such as the following:

• hxxp://hiho[removed].com/httpd/loc.so

Some variants are observed to spread through removable drives by creating an autorun.inf file, which will then run the worm automatically if the system is set to Autorun.

Symptoms

Symptoms -

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

• Spy-Agent.bw