The malware
spreads by sending itself as attachments in spam messages.
This
particular version of Zbot is, again, a repacked version of Trojan.Spy.ZBot.UI,
which injects code in winlogon.exe allowing it to create files and
connect to the Internet undetected. Making use of this, it creates a copy of
itself into %windir%system32sdra64.exe, adding garbage to the executable
so it has a different size and md5 hash, a rather shy attempt of av-evasion. It
also creates a folder called lowsec in the same folder in which it will
write 3 files containing encrypted data: local.ds, user.ds and user.ds.lll
In local.ds
it saves a file which is downloaded from http://lab[removed].com/lbrc/lbr.bin.
This file contains configuration information like: URL to download new
versions, URLs to sniff login data from (mostly online banking websites) and
where to send that info.
user.ds is
a file in which all the spied information is stored. The information will be
sent via web to the author of the Trojan. Zbot.UI also keeps a backup of this
file in user.ds.lll
In order to
run at every system startup the Trojan makes changes to certain registry
entries. I also marks it’s presence on the computer by creating the following
mutex: __SYSTEM__64AD0625__, _AVIRA_2109, _AVIRA_2108, _AVIRA_210999,
_H_64AD0625_
The spam
this e-threat was made to send out is related to the recent Michael Jackson wave.
It has the subject “Who killed Michael Jackson?” and the message is the
following:
Michael
Jackson Was Killed…
But Who
Killed Michael Jackson?
Visit
X-Files to see the answer:
http://MJac[removed]ij.com/x-files
This is a
generic detection for several HTML files which adware like Adware.Downloader.Navipromo.B or Adware.LivePlayer.A use to download.
The files
contain an embedded executable which is dropped in %windir%system32 and is
detected as adware as well. The name of the executable is specified in the
downloaded HTML file and is generated randomly.
To avoid
detection, the executables will run only if certain parameters are specified,
parameters that are known only to the downloaders.
Information
in this article is available courtesy of BitDefender virus researchers: Dana
Stanut and Ovidiu Visoiu
tags
November 14, 2024
September 06, 2024