Virus:TR/Spy.ZBot.fql.6
Date discovered:27/11/2008
Type:Trojan
In the wild:Yes
Reported Infections:Medium
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:908.288 Bytes
MD5 checksum:7a2efb63c47daa1b554f04effc6d6bac
IVDF version:7.01.00.146 - Thursday, November 27, 2008

 General Aliases:
   •  Symantec: Packed.Generic.196
   •  Mcafee: PWS-Zbot.gen.c trojan !!!
   •  Kaspersky: Trojan-Spy.Win32.Zbot.fql
   •  F-Secure: W32/Trojan3.EP
   •  Panda: Trj/Sinowal.VVF
   •  Eset: Win32/Spy.Agent.PZ trojan
   •  Bitdefender: Trojan.Spy.Zeus.1.Gen


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Downloads a file
   • Drops a malicious file
   • Lowers security settings
   • Registry modification
   • Steals information

 Files  It copies itself to the following location. This file has random bytes appended so it may differ from the original one:
   • %SYSDIR%\twext.exe



The following file is created:

– Temporary files that might be deleted afterwards:
   • %SYSDIR%\twain_32\local.ds
   • %SYSDIR%\twain_32\user.ds




It tries to download a file:

– The location is the following:
   • http://popokimoki.com/los/**********
At the time of writing this file was not online for further investigation.

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   • "Userinit"="%SYSDIR%\userinit.exe,%SYSDIR%\twext.exe,"



The following registry key is changed:

Deactivate Windows XP Firewall:
– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile]
   New value:
   • "EnableFirewall"=dword:0x0

 Rootkit Technology Hides the following:
– Its own file


Method used:
    • Hidden from Windows API
    • Hook the Import Address Table (IAT)

Hooks the following API functions:
   • ntdll.dll -> NtCreateThread
   • ntdll.dll -> NtQueryDirectoryFile
   • ntdll.dll -> LdrLoadDll
   • ntdll.dll -> LdrGetProcedureAddress
   • ntdll.dll -> NtCreateThread
   • user32.dll -> TranslateMessage
   • user32.dll -> GetClipboardData

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Monday, October 12, 2009
Description updated by Andrei Ivanes on Wednesday, October 14, 2009

Back . . . .