Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Dldr.Ebill.L
Date discovered:14/01/2009
Type:Trojan
Subtype:Downloader
In the wild:Yes
Reported Infections:Medium
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:1.007.616 Bytes
MD5 checksum:268feb4d73cf742f85d098e254cd1e0D
IVDF version:7.01.01.115 - Wednesday, January 14, 2009

 General Aliases:
   •  Mcafee: PWS-Zbot trojan !!!
   •  Kaspersky: Trojan-Spy.Win32.Zbot.kbi
   •  Sophos: Mal/UnkPack-Fam
   •  Panda: Trj/Sinowal.WJC
   •  Eset: Win32/Spy.Zbot.EF trojan
   •  Bitdefender: Trojan.SPY.Zbot.UV


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a file
   • Drops a malicious file
   • Lowers security settings
   • Registry modification
   • Steals information

 Files  It copies itself to the following location. This file has random bytes appended so it may differ from the original one:
   • %SYSDIR%\twex.exe



The following file is created:

– Temporary files that might be deleted afterwards:
   • %SYSDIR%\twain32\local.ds
   • %SYSDIR%\twain32\user.ds
   • %SYSDIR%\twain32\user.ds.lll




It tries to download a file:

– The location is the following:
   • http://91.211.65.33/ferrari/**********
At the time of writing this file was not online for further investigation.

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   • "Userinit"="%user defined settings%,%SYSDIR%\twex.exe,"



The following registry key is changed:

Deactivate Windows XP Firewall:
– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile]
   New value:
   • "EnableFirewall"=dword:0x0

 Rootkit Technology Hides the following:
– Its own file


Method used:
    • Hidden from Windows API
    • Hook the Import Address Table (IAT)

Hooks the following API functions:
   • ntdll.dll -> LdrGetProcedureAddress
   • ntdll.dll -> LdrLoadDll
   • ntdll.dll -> NtCreateThread
   • ntdll.dll -> NtQueryDirectoryFile
   • user32.dll -> TranslateMessage
   • user32.dll -> GetClipboardData

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Tuesday, October 13, 2009
Description updated by Andrei Ivanes on Thursday, October 15, 2009

Back . . . .