Virus:TR/Spy.ZBot.R
Date discovered:26/09/2007
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:No
IVDF version:7.00.00.16 - Wednesday, September 26, 2007

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Trojan-Spy.Win32.Zbot.r
   •  F-Secure: Trojan-Spy.Win32.Zbot.r
   •  Sophos: Troj/Zbot-A


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads malicious files
   • Registry modification
   • Steals information
   • Third party control

 Files It copies itself to the following location:
   • %SYSDIR%\ntos.exe



It deletes the following file:
   • %cookies%\*.*



The following files are created:

– Temporary files that might be deleted afterwards:
   • %SYSDIR%\wsnpoem\audio.dll
   • %SYSDIR%\wsnpoem\video.dll




It tries to download a file:

– The locations are the following:
   • http://81.95.145.241/**********/ldr.exe
   • http://66.235.175.5/**********/ldr.exe
It is saved on the local hard drive under: %TEMPDIR%\18.tmp Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too.

 Registry The following registry keys are changed:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   Old value:
   • Userinit = %SYSDIR%\userinit.exe,
   New value:
   • Userinit = %SYSDIR%\userinit.exe,%SYSDIR%\ntos.exe,

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network]
   New value:
   • UID = %computer name%_%hex number%

 Backdoor The following ports are opened:

– svchost.exe on a random TCP port in order to provide backdoor capabilities.
– svchost.exe on a random TCP port in order to provide a proxy server.
– svchost.exe on a random TCP port in order to provide a Socks 4 proxy server.


Contact server:
One of the following:
   • http://81.95.145.241/**********/cfg.bin
   • http://66.235.175.5/**********/cfg.bin

The following:
   • http://75.126.64.11/**********/s.php

As a result it may send information and remote control could be provided.

 Injection – It injects itself into a process.

    Process name:
   • svchost.exe


 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Andrei Gherman on Wednesday, October 24, 2007
Description updated by Andrei Gherman on Wednesday, October 24, 2007

Back . . . .