Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:14/01/2009
In the wild:Yes
Reported Infections:Medium
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:1.007.616 Bytes
MD5 checksum:268feb4d73cf742f85d098e254cd1e0D
IVDF version: - Wednesday, January 14, 2009

 General Aliases:
   •  Mcafee: PWS-Zbot trojan !!!
   •  Kaspersky: Trojan-Spy.Win32.Zbot.kbi
   •  Sophos: Mal/UnkPack-Fam
   •  Panda: Trj/Sinowal.WJC
   •  Eset: Win32/Spy.Zbot.EF trojan
   •  Bitdefender: Trojan.SPY.Zbot.UV

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Downloads a file
   • Drops a malicious file
   • Lowers security settings
   • Registry modification
   • Steals information

 Files  It copies itself to the following location. This file has random bytes appended so it may differ from the original one:
   • %SYSDIR%\twex.exe

The following file is created:

– Temporary files that might be deleted afterwards:
   • %SYSDIR%\twain32\local.ds
   • %SYSDIR%\twain32\user.ds
   • %SYSDIR%\twain32\user.ds.lll

It tries to download a file:

– The location is the following:
At the time of writing this file was not online for further investigation.

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   • "Userinit"="%user defined settings%,%SYSDIR%\twex.exe,"

The following registry key is changed:

Deactivate Windows XP Firewall:
– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   New value:
   • "EnableFirewall"=dword:0x0

 Rootkit Technology Hides the following:
– Its own file

Method used:
    • Hidden from Windows API
    • Hook the Import Address Table (IAT)

Hooks the following API functions:
   • ntdll.dll -> LdrGetProcedureAddress
   • ntdll.dll -> LdrLoadDll
   • ntdll.dll -> NtCreateThread
   • ntdll.dll -> NtQueryDirectoryFile
   • user32.dll -> TranslateMessage
   • user32.dll -> GetClipboardData

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Tuesday, October 13, 2009
Description updated by Andrei Ivanes on Thursday, October 15, 2009

Back . . . .