Threat Description

Trojan-Spy:​W32/ZBot.HS

Details

Aliases:Trojan-Spy:​W32/Zbot.KZ, ZBot.HS
Category:Malware
Type:Trojan-Spy
Platform:W32

Summary



This type of trojan secretly installs spy programs and/or keylogger programs.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details



Trojan-Spy:W32/ZBot.HS was discovered on February 20th 2008 and targets the online banking portal Finnish bank; the spam e-mail messages used to distribute its executably binary file are written in Finnish. Later samples received on April 04, 2008 are now detected as Trojan-Spy:W32/Zbot.KZ. New download filename is iPIX-install.exe. Also, please contact your bank and confirm your online banking transactions if infection is confirmed.

Distribution

Several Finnish language spam messages were used to direct recipients to various websites.The websites supposedly contain a images that require an iPIX plug-in.The download link for the "plug-in" in fact downloads the ZBot file.

A sample message is below:

The message warns of a radioactive cloud spreading from a nuclear reactor close to the Finnish city of Mikkeli. The end of the message provides a link to a supposed blog with pictures of the event and of victims.

It is an attempt at social engineering. However, as there is no nuclear power plant near Mikkeli, many recipients report that they were not tempted by the message.

This is an example of the website:

An icon for a needed plug-in is displayed rather than images when viewing the site.

The message below the image area contains the link from which the malware is downloaded:

There are several versions of bait used by the spam messages.

One message claims to be from a woman seeking love. The message directs to a Web site such as this:

The website designs have been used in the past. There are previous examples of German language versions targeting individuals in Switzerland.

ZBot variants use modular components (configuration and commands) downloaded from the Internet after installation. The components are encrypted, probably to hinder analysis of the code.

Installation

Upon execution the trojan copies itself to the following location:

  • %windir%\system32\ntos.exe

Note: %windir% represents the system's default Windows directory. The folder name may vary by language localization.

It then creates the following folder under the Windows system directory:

  • wsnpoem

ZBot.HS attempts to hide this folder using stealth techniques.

It creates the following files in the newly created folder:

  • audio.dll
  • video.dll

These files are written with encrypted data.

The trojan modifies the following registry entry to enable its automatic execution upon Windows startup:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "Userinit" = "%windir%\system32\userinit.exe,%windir%\system32\ntos.exe"

The trojan deletes cookies in the Internet Explorer URL cache.

It then injects malicious code into several active processes, particularly winlogon.exe and iexplorer.exe.

Activity

The injected code starts listening for incoming TCP connections and downloads the following data file from a remote server:

  • file.bin

The remote server URL contains a top-level domain of ".ru". The server is hosted in Turkey as of February 21, 2008.

Logging online banking information is the primary payload of Trojan-Spy:W32/Zbot variants.

ZBot searches the following string by default:

  • https://onlineeast#.bankofamerica.com/cgi-bin/ias/*/GotoWelcome

Other targets are added through the file.bin configuration.The file.bin of ZBot.HS targets a Finnish bank.

Browser activity is monitored for multiple ".fi" URL addresses. Finnish, Swedish, and English language versions are monitored.

If online banking activity is detected ZBot.HS will beginning logging information. ZBot.HS does not inject its own banking transactions.

ZBot also checks for running programs with firewall related processes:

  • outpost.exe
  • zlclient.exe

ZBot also checks for running programs with firewall related processes:

  • outpost.exe
  • zlclient.exe





SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Scan & clean your PC

F-Secure Online Scanner will scan and clean your PC in just a few minutes for free

Learn More