PWS-Zbot.gen.v

When executed the malware binary modifies the following registry entries.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon]
"Userinit" = "C:\WINDOWS\system32\userinit.exe, C:\WINDOWS\system32\sdra64.exe"

The above mentioned registry entries confirms that, the malware binary hooks itself to winlogon.exe and userinit.exe which is legitimate windows application and hides itself from the compromised user and it also ensures that the malware is executed every time the system boots.

The following files have been added to the compromised system:

• %SysDir%\lowsec\local.ds
• %SysDir%\lowsec\user.ds
• %SysDir%\lowsec\user.ds.lll
• %SysDir%\sdra64.exe

File Name "sdra64.exe" is nothing but the copy of the malware binary.

1. %SysDir%\lowsec

http://193.104.[removed].42

Once the user system is compromised it looks for the bank details and other financial passwords which is saved in the user system and sends that information to the remote site. So, basically the main purpose of this malware binary is to steal passwords from the compromised system.

This malware binary will specifically look to steal bank password related information and send those information to the attacker.

The following behaviors were seen with this particular version of the PWS-Zbot.gen.v:

• Drops a copy of itself in the %SysDir% folder
• Injects code into system processes (winlogon.exe, userinit.exe)
• Targets sensitive information such as online banking transactions
• Attempts to retrieve a newer version of itself remotely
• Posts stolen information to a remote site

These are the defaults for typical path variables. (Although they may differ, these are common examples):

%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000) %SysDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000) %ProgramFiles% = \Program Files

• The Trojan is running in the process list.
• Presence of files and registry entries mentioned.
• Network activity with servers mentioned above.

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc.

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.