For Consumer

Virus Profile: PWS-Zbot.gen.uh

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 4/5/2012
Date Added: 4/5/2012
Origin: N/A
Length: Varies
Type: Trojan
Subtype: Generic
DAT Required: 6387
Removal Instructions
   
 
 
   

Description

This is a Trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

  • Kaspersky - Packed.win32.krap.iu
  • NOD32  - win32:zbot-OKI
  • Ikarus   - Packed.win32.krap
  • Microsoft - Pws:win32/zbot.gen!AF

Indication of Infection

  • Presence of above mentioned files and registry keys.
  • Presence unexpected network connection to the above mentioned IP Address.

 

Methods of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc.
   

Virus Characteristics

-------------Updated on September 22, 2012------------

Aliases -

  • Kaspersky           -    Trojan-Spy.Win32.Zbot.eipa
  • Ikarus                   -    Trojan-PWS.Win32.Zbot
  • NOD32                -    Win32/Spy.Zbot.AAN
  • Microsoft              -     PWS:Win32/Zbot.gen!AF

Characteristics -

"PWS-ZBot.gen.uh” is a generic detection that allows unauthorized access and control of an affected computer.

Upon execution the trojan injects into the windows explorer (Explorer.exe) and connects to the below IP Address

216.143.[Removed].170

Upon execution the following files have been added to the system.

  • %AppData%\Microsoft\Address Book\Administrator.wab
  • %AppData%\Rieg\ruevd.exe

Upon execution the following folders have been added to the system.

  • %AppData%\Microsoft\Address Book
  • %AppData%\Rieg

The following registry key values have been added to the system.

  • HKEY_USERS\S-1-5-[VARIES]\Software\Microsoft\Internet Account Manager
  • HKEY_USERS\S-1-5-[VARIES]\Software\Microsoft\Internet Account Manager\Accounts
  • HKEY_USERS\S-1-5-[VARIES]\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC
  • HKEY_USERS\S-1-5-[VARIES]\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot
  • HKEY_USERS\S-1-5-[VARIES]\Software\Microsoft\Internet Account Manager\Accounts\VeriSign
  • HKEY_USERS\S-1-5-[VARIES]\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere
  • HKEY_USERS\S-1-5-[VARIES]\Software\Microsoft\Usup
  • HKEY_USERS\S-1-5-[VARIES]\Software\Microsoft\WAB
  • HKEY_USERS\S-1-5-[VARIES]\Software\Microsoft\WAB\WAB4
  • HKEY_USERS\S-1-5-[VARIES]\Software\Microsoft\WAB\WAB4\Wab File Name

The following registry key values have been added to the system:

HKEY_USERS\S-1-5-[VARIES]\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere

  • LDAP Server ID = 0x00000003
  • Account Name = "WhoWhere Internet Directory Service"
  • LDAP Server = "ldap.whowhere.com"
  • LDAP URL = http://www.whowhere.com
  • LDAP Search Return = 0x00000064
  • LDAP Timeout = 0x0000003C
  • LDAP Authentication = 0x00000000
  • LDAP Simple Search = 0x00000001
  • LDAP Logo = "%ProgramFiles%\Common Files\Services\whowhere.bmp"

HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\

  • LDAP Server ID = 0x00000002
  • Account Name = "VeriSign Internet Directory Service"
  • LDAP Server = "directory.verisign.com"
  • LDAP URL = http://www.verisign.com
  • LDAP Search Return = 0x00000064
  • LDAP Timeout = 0x0000003C
  • LDAP Authentication = 0x00000000
  • LDAP Search Base = "NULL"
  • LDAP Simple Search = 0x00000001
  • LDAP Logo = "%ProgramFiles%\Common Files\Services\verisign.bmp"

HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\]

  • LDAP Server ID = 0x00000001
  • Account Name = "Bigfoot Internet Directory Service"
  • LDAP Server = "ldap.bigfoot.com"
  • LDAP URL = http://www.bigfoot.com
  • LDAP Search Return = 0x00000064
  • LDAP Timeout = 0x0000003C
  • LDAP Authentication = 0x00000000
  • LDAP Simple Search = 0x00000001
  • LDAP Logo = "%ProgramFiles%\Common Files\Services\bigfoot.bmp"

HKEY_USERS\S-1-5-[varies]\Software\Microsoft\ Usup\2e03f298= [binary data]

HKEY_USERS\S-1-5-[VARIES]\Software\Microsoft\Windows\CurrentVersion\Run\
“E70C1587-6380-AD79-929D-F79D94EFD48F”= ""%appdata%\Rieg\ruevd.exe""

The above mentioned registry ensures that the Trojan registers run entry with the compromised system and execute itself upon every boot.

And the following registry values have been modified to the system:

  • HKEY_USERS\S-1-5-[VARIES]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1609: 0x00000001
  • HKEY_USERS\S-1-5-[VARIES]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1609: 0x00000000
  • HKEY_USERS\S-1-5-[VARIES]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1406: 0x00000001
  • HKEY_USERS\S-1-5-[VARIES]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1406: 0x00000000
  • HKEY_USERS\S-1-5-[VARIES]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1609: 0x00000001
  • HKEY_USERS\S-1-5-[VARIES]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1609: 0x00000000
  • HKEY_USERS\S-1-5-[VARIES]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1406: 0x00000003
  • HKEY_USERS\S-1-5-[VARIES]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1406: 0x00000000
  • HKEY_USERS\S-1-5-[VARIES]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1609: 0x00000001
  • HKEY_USERS\S-1-5-[VARIES]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1609: 0x00000000
  • HKEY_USERS\S-1-5-[VARIES]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1406: 0x00000003
  • HKEY_USERS\S-1-5-[VARIES]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1406: 0x00000000
  • HKEY_USERS\S-1-5-[VARIES]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1609: 0x00000001
  • HKEY_USERS\S-1-5-[VARIES]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1609: 0x00000000
  • HKEY_USERS\S-1-5-[VARIES]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1406: 0x00000003
  • HKEY_USERS\S-1-5-[VARIES]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1406: 0x00000000
  • HKEY_USERS\S-1-5-[VARIES]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1609: 0x00000001
  • HKEY_USERS\S-1-5-[VARIES]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1609: 0x00000000

The above registry key values confirm that the Trojan lowers the Internet Account Settings

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

-------------Updated On 28.June 2012---------

This is a Trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases:

  • Kaspersky - Trojan-Dropper.Win32.Dapato.birt
  • NOD32 - Win32/AutoRun.Spy.Banker.P 
  • Ikarus   - Trojan-Spy.Agent
  • Microsoft - Worm:Win32/Cridex.E

Characteristics –

“PWS-Zbot.gen.uh” is Trojan that injects itself into a system process to remain undetected. Also it may steal compromised computers’ personal information and the confidential information.

Upon execution, the Trojan tries to inject into the system process (explorer.exe) and connects to the remote IP Address 85.214.[Removed].32 in order to make a connection to the following URL through the remote port 8080.

  • Sig[Removed]ac.be
  • Hi[Removed]ex.org
  • Fai[Removed]ah.edu
  • h18[Removed]er.net

And the Trojan creates the following files in the below locations

  • %AppData%\KB01154634.exe
  • %Temp%\exp1.tmp

The following Registry keys has been added:

  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\ShellNew
  • HKEY_USER\S-1-[varies]\Software\Microsoft\WSH
  • HKEY_USER\S-1-[varies]\Software\Microsoft\WSH\A782D5F0
  • HKEY_USER\S-1-[varies]\Software\Microsoft\WSH\EB87437A

And the below registry values has been added

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kmixer\Enum\0: "SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kmixer\Enum\0: "SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}"
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Run\
    "KB01154634.exe" = ""%AppData%\KB01154634.exe""
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\ShellNew\~reserved~: 18 00 00 00 01 00 01 00 DC 07 06 00 01 00 19 00 07 00 18 00 03 00 A9 00
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\ShellNew\Language: 0x00000409

And modifies the below registry values to the system

  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 3C 00 00 00 32 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 80 7E 39 29 A0 31 C6 01 01 00 00 00 C0 A8 C7 96 00 00 00 00 00 00 00 00

The below registry entry confirms that, the Trojan executes every time when windows starts

  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Run
    • "KB01154634.exe" = ""%AppData%\KB01154634.exe""

-------------Updated On 7.June 2012---------

Aliases

  • Comodo     -  UnclassifiedMalware
  • Fortinet   -  W32/FakeAV.OZ!tr
  • NOD32      -  Win32/Adware.HDDRescue.AB
  • Symantec   -  Suspicious.Cloud.5

Characteristics:

When executed the Trojan creates the files into the following location:

  • %Userprofile% \application data\dplaysvr.exe
  • %Userprofile% \application data\dplayx.dll
  • %Userprofile% \local settings\temp\7.tmp
  • %Userprofile% \local settings\temp\8.tmp
  • %Userprofile% \local settings\temp\a.tmp

The Trojan tries to connects to the remote server and performs the following activities

  • Download configuration files or other data
  • Download and execute malicious files
  • Receive commands from a remote attacker

Notes: - [C:\Documents and Settings\All Users\ - %AllUsersprofile%, C:\DOCUME~1\Admin\LOCALS~1\Temp - %Temp%,C:\Documents and Settings\Admin\Application Data - %Appdata%,c: - %systemdrive%,%Userprofile%  - %Userprofile%]

------------------------------------------------------------------------------------------------

Upon execution copies itself to the following location:

c:\documents and settings\%user%\application data\<RANDOM name folder>\<RANDOM name>.exe

It injects malicious threads into explorer and connects to the following IP address.

  • Connects to 99.57.[Removed].234  via a random port

Add itself to the following registry key so it is loaded upon bootup

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

 

   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).