Need to fix your PC?
Hire an Expert
Virus:TR/Spy.ZBot.29.7
Date discovered:23/12/2010
Type:Trojan
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium to high
Damage Potential:Medium
Static file:Yes
File size:279.200 Bytes
MD5 checksum:B59F00DC6A01949886EAC0022ADCAC74
VDF version:7.10.07.76
IVDF version:7.11.00.148 - Thursday, December 23, 2010

 General Method of propagation:
   • Email
   • Messenger


Aliases:
   •  TrendMicro: TROJ_BANKER.EXK
   •  Sophos: Troj/Bancos-BKP
   •  Microsoft: Backdoor:Win32/Qakbot


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows 7


Side effects:
   • Third party control
   • Drops files
   • Registry modification
   • Steals information

 Files It copies itself to the following location:
   • %ALLUSERSPROFILE%\Application Data\Microsoft\%random character string%\%random character string%.exe



The following files are created:

– %ALLUSERSPROFILE%\Application Data\Microsoft\%random character string%\%random character string%.dll

 Registry One of the following values is added in order to run the process after reboot:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "%random character string%"="\"%ALLUSERSPROFILE%\Application Data\Microsoft\%random character string%\%random character string%.exe\""



The following registry key is added:

– [HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\
   Internet Settings]
   • "ProxyEnable"=dword:00000000



The following registry keys are changed:

Lower security settings from Internet Explorer:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   ZoneMap]
   New value:
   • "ProxyBypass"=dword:00000001
   • "IntranetName"=dword:00000001
   • "UNCAsIntranet"=dword:00000001

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
   New value:
   • "MigrateProxy"=dword:00000001
   • "ProxyEnable"=dword:00000000
   • "ProxyServer"=-
   • "ProxyOverride"=-
   • "AutoConfigURL"=-

 Messenger It is spreading via Messenger. The characteristics are described below:

– Windows Live Messenger

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: **********server.com.ua
Port: 31666

 Process termination Processes with one of the following strings are terminated:
   • bitdef
   • ccsvchst
   • kaspersky
   • mcafee
   • symantec
   • trendmicro
   • f-prot
   • drweb
   • clam
   • avast


 Backdoor Contact server:
All of the following:
   • **********.4.45.64:21
   • **********.227.214.95:21
   • **********220.215.107:21
   • **********e12.hostingmadeeasy.com:21
   • **********.compuvisionenlinea.com:21
   • **********t307.hostmonster.com:21
   • **********lunariffic.com:21
   • **********img.in:80

As a result it may send information and remote control could be provided.

Sends information about:
    • visited URLs
    • Information about the Windows operating system


Remote control capabilities:
    • Execute file
    • Visit a website

 Stealing It tries to steal the following information:
– Passwords typed into 'password input fields'

– It uses a network sniffer that checks for the following strings:
   • ibanking-services
   • ibank
   • huntington
   • wellsfargo
   • citigroup
   • bankofamerica
   • 53.com
   • usbank.com

– A logging routine is started after the following website is visited, which contains one of the following substrings in the URL:
   • 53.com
   • banking
   • bankofamerica
   • citigroup
   • huntington
   • ibank
   • ibanking-services
   • money
   • netbank
   • pin
   • suntrust
   • usbank.com
   • wachovia.com
   • wellsfargo

– It captures:
    • Login information

 Injection – It injects itself as a remote thread into a process.

    All of the following processes:
   • explorer.exe
   • iexplore.exe



Purpose:
Access to the following websites is effectively blocked:
   • *avast*; *ca.com*; *omodo*; *cpsecure*; *esafe*; *etrust*; *f-prot*;
      *fortinet*; *hauri*; *ikarus*; *jotti*; *k7computing*; *norton*;
      *pctools*; *sunbelt*; *wilderssecurity*; *threatexpert*; *pamhaus*;
      *securecomputing*; *rising*; *quickheal*; *prevx*; *norman*;
      *networkassociates*; *hacksoft*; *grisoft*; *gdata*; *f-secure*;
      *ewido*; *emsisoft*; *computerassociates*; *centralcommand*;
      *castlecops*; *arcabit*; *ahnlab*; *agnitum*


 Miscellaneous Accesses internet resources:
   • http://www.ip-adress.com/what_is_my_ip/
   • http://www.ipaddressworld.com/
   • search.msn.com


Trusted file pretending:
Its process pretends to be the following trusted process: explorer.exe
Please note that the malware even fakes the icon. As a result it appears to be the above mentioned process.

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Andrei Ilie on Wednesday, September 7, 2011
Description updated by Andrei Ilie on Wednesday, September 7, 2011

Back . . . .
 
 
 
 

© 2013 Avira Operations GmbH & Co. KG. All rights reserved.

My Account

https:// This window is encrypted for your security.