Virus:TR/Spy.ZBot.qca
Date discovered:23/03/2009
Type:Trojan
In the wild:Yes
Reported Infections:Medium
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:621.056 Bytes
MD5 checksum:439e41027e08b550311bc6b3cf9f802c
IVDF version:7.01.02.201 - Monday, March 23, 2009

 General Aliases:
   •  Symantec: Infostealer.Banker.C
   •  Mcafee: PWS-Zbot trojan !!!
   •  Sophos: Mal/EncPk-HP
   •  Panda: Trj/Sinowal.WJB
   •  Eset: Win32/Spy.Zbot.MV
   •  Bitdefender: Backdoor.Bot.96370


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a file
   • Drops a malicious file
   • Lowers security settings
   • Registry modification
   • Steals information

 Files  It copies itself to the following location. This file has random bytes appended so it may differ from the original one:
   • %SYSDIR%\sdra64.exe



The following file is created:

– Temporary files that might be deleted afterwards:
   • %SYSDIR%\lowsec\local.ds
   • %SYSDIR%\lowsec\user.ds
   • %SYSDIR%\lowsec\user.ds.lll




It tries to download a file:

– The location is the following:
   • http://affioro.com/aff22/**********
At the time of writing this file was not online for further investigation.

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   • "Userinit"="%user defined settings%,%SYSDIR%\sdra64.exe,"



The following registry key is changed:

Deactivate Windows XP Firewall:
– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile]
   New value:
   • "EnableFirewall"=dword:0x0

 Rootkit Technology Hides the following:
– Its own file


Method used:
    • Hidden from Windows API
    • Hook the Import Address Table (IAT)

Hooks the following API functions:
   • ntdll.dll -> LdrGetProcedureAddress
   • ntdll.dll -> LdrLoadDll
   • ntdll.dll -> NtCreateThread
   • ntdll.dll -> NtQueryDirectoryFile
   • user32.dll -> TranslateMessage
   • user32.dll -> GetClipboardData

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Tuesday, October 13, 2009
Description updated by Andrei Ivanes on Thursday, October 15, 2009

Back . . . .