Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Trojan-Spy:W32/ZBot.HS


Discovered:
Aliases:


2008-02-20 00:00:00.0
Trojan-Spy:W32/Zbot.KZ
ZBot.HS

Malware
Trojan-Spy
W32

Summary

This type of trojan secretly installs spy programs and/or keylogger programs.



Disinfection & Removal

Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details

Trojan-Spy:W32/ZBot.HS was discovered on February 20th 2008 and targets the online banking portal Finnish bank; the spam e-mail messages used to distribute its executably binary file are written in Finnish. Later samples received on April 04, 2008 are now detected as Trojan-Spy:W32/Zbot.KZ. New download filename is iPIX-install.exe. Also, please contact your bank and confirm your online banking transactions if infection is confirmed.


Distribution

Several Finnish language spam messages were used to direct recipients to various websites.The websites supposedly contain a images that require an iPIX plug-in.The download link for the "plug-in" in fact downloads the ZBot file.

A sample message is below:

The message warns of a radioactive cloud spreading from a nuclear reactor close to the Finnish city of Mikkeli. The end of the message provides a link to a supposed blog with pictures of the event and of victims.

It is an attempt at social engineering. However, as there is no nuclear power plant near Mikkeli, many recipients report that they were not tempted by the message.

This is an example of the website:

An icon for a needed plug-in is displayed rather than images when viewing the site.

The message below the image area contains the link from which the malware is downloaded:

There are several versions of bait used by the spam messages.

One message claims to be from a woman seeking love. The message directs to a Web site such as this:

The website designs have been used in the past. There are previous examples of German language versions targeting individuals in Switzerland.

ZBot variants use modular components (configuration and commands) downloaded from the Internet after installation. The components are encrypted, probably to hinder analysis of the code.


Installation

Upon execution the trojan copies itself to the following location:

  • %windir%\system32\ntos.exe

Note: %windir% represents the system's default Windows directory. The folder name may vary by language localization.

It then creates the following folder under the Windows system directory:

  • wsnpoem

ZBot.HS attempts to hide this folder using stealth techniques.

It creates the following files in the newly created folder:

  • audio.dll
  • video.dll

These files are written with encrypted data.

The trojan modifies the following registry entry to enable its automatic execution upon Windows startup:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "Userinit" = "%windir%\system32\userinit.exe,%windir%\system32\ntos.exe"

The trojan deletes cookies in the Internet Explorer URL cache.

It then injects malicious code into several active processes, particularly winlogon.exe and iexplorer.exe.


Activity

The injected code starts listening for incoming TCP connections and downloads the following data file from a remote server:

  • file.bin

The remote server URL contains a top-level domain of ".ru". The server is hosted in Turkey as of February 21, 2008.

Logging online banking information is the primary payload of Trojan-Spy:W32/Zbot variants.

ZBot searches the following string by default:

  • https://onlineeast#.bankofamerica.com/cgi-bin/ias/*/GotoWelcome

Other targets are added through the file.bin configuration.The file.bin of ZBot.HS targets a Finnish bank.

Browser activity is monitored for multiple ".fi" URL addresses. Finnish, Swedish, and English language versions are monitored.

If online banking activity is detected ZBot.HS will beginning logging information. ZBot.HS does not inject its own banking transactions.

ZBot also checks for running programs with firewall related processes:

  • outpost.exe
  • zlclient.exe

ZBot also checks for running programs with firewall related processes:

  • outpost.exe
  • zlclient.exe




Description Created: 2008-02-20 14:35:45.0
Description Last Modified: 2010-06-10 08:43:08.0



Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice




Give advice. Get advice. Share the knowledge on our free discussion forum.

Scan and clean your PC




F-Secure Online Scanner will scan and clean your PC in just a few minutes for free