Virus Characteristics
--Updated on 29th June 2012---
Aliases
- Microsoft - Worm:Win32/Cridex.E
- Kaspersky - Trojan-Dropper.Win32.Dapato.bjvs
- Ikarus - Trojan-Dropper.Win32.Dapato
- Symantec - W32.Cridex
When executed the Trojan copies itself into the following location.
%Appdata%\KB01154634.exe
It drops the below script file
%temp%\exp5.tmp.BAT
After execution, the Trojan deletes self by using above script file from the compromised system
Below mentioned registry ensures that, the Trojan registers itself with the compromised system and execute itself upon every boot.
HKEY_CURRENT_USER\ Software\Microsoft\Windows\CurrentVersion\Run:"KB01154634.exe" = “%Appdata%\KB01154634.exe”
It also tries to connect to the following ip location
123.[removed].61.59
Notes: - [C:\Documents and Settings\All Users\ - %AllUsersprofile%, C:\DOCUME~1\Admin\LOCALS~1\Temp - %Temp%,C:\Documents and Settings\Admin\Application Data - %Appdata%,c: - %systemdrive%,C:\Documents and Settings\Administrator - %Userprofile%]
-------------------------------------------------------------------------------------------------------------------------------------------------------------------
--Updated on January 23, 2012---
Aliases -
- Kaspersky - Trojan-Spy.Win32.Zbot.cqab
- NOD32 - a variant of Win32/Kryptik.WEE
- Ikarus - Trojan-Spy.Win32.Zbot
- Microsoft - PWS:Win32/Zbot
Upon execution Trojan injects itself with Explorer.exe and connects to the following site sec[Removed]ert.ru through a remote port 80 to download other malicious files.
The following files have been added to the system.
- %UserProfile%\Application Data\Identities\{64DD4488-B7D5-4C11-8D65-6BAF648A65EB}\Microsoft\Outlook Express\Folders.dbx
- %UserProfile%\Application Data\Identities\{64DD4488-B7D5-4C11-8D65-6BAF648A65EB}\Microsoft\Outlook Express\Inbox.dbx
- %UserProfile%\Application Data\Identities\{64DD4488-B7D5-4C11-8D65-6BAF648A65EB}\Microsoft\Outlook Express\Offline.dbx
- %UserProfile%\Application Data\Identities\{64DD4488-B7D5-4C11-8D65-6BAF648A65EB}\Microsoft\Outlook Express\Sent Items.dbx
- %Appdata%\Microsoft\Address Book\[User].wab
- %Appdata%\Microsoft\Address Book\[User].wab~
- %Appdata%\Ucyha\zoowqi.exe
- %Appdata%\Omkaiv\taihubu.tmp
- %Appdata%\Omkaiv\taihubu.ist
The following registry keys have been added to the system.
- HKEY_USERS\S-1-5-[varies]\Identities\{64DD4488-B7D5-4C11-8D65-6BAF648A65EB}\Software\Microsoft\Outlook Express\5.0\Mail
- HKEY_USERS\S-1-5-[varies]\Identities\{64DD4488-B7D5-4C11-8D65-6BAF648A65EB}\Software\Microsoft\Outlook Express\5.0\News
- HKEY_USERS\S-1-5-[varies]\Identities\{64DD4488-B7D5-4C11-8D65-6BAF648A65EB}\Software\Microsoft\Outlook Express\5.0\Rules
- HKEY_USERS\S-1-5-[varies]\Identities\{64DD4488-B7D5-4C11-8D65-6BAF648A65EB}\Software\Microsoft\Outlook Express\5.0\Rules\Mail
- HKEY_USERS\S-1-5-[varies]\Identities\{64DD4488-B7D5-4C11-8D65-6BAF648A65EB}\Software\Microsoft\Outlook Express\5.0\Trident
- HKEY_USERS\S-1-5-[varies]\Identities\{64DD4488-B7D5-4C11-8D65-6BAF648A65EB}\Software\Microsoft\Outlook Express\5.0\Trident\Main
- HKEY_USERS\S-1-5-[varies]\Identities\{64DD4488-B7D5-4C11-8D65-6BAF648A65EB}\Software\Microsoft\Outlook Express\5.0\Trident\Settings
- HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Internet Explorer\Privacy
- HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Internet Account Manager
- HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Internet Account Manager\Accounts
- HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC
- HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot
- HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Internet Account Manager\Accounts\VeriSign
- HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere
- HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Rivib
The following registry values have been added to the system.
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\]
%Windir%\EXPLORER.EXE = "%Windir%\EXPLORER.EXE = *:Enabled:Windows Explorer"
- HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = 0x00000000
The above mentioned registry ensures that, the Trojan disables the option for clearing the Internet Explorer cookies.
- HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Run]
{709C0C2E-AA1E-83E0-9ECE-7BB26FA662F2} = ""%Appdata%\Ucyha\zoowqi.exe""
The above mentioned registry ensures that, the Trojan registers run entry with the compromised system and execute itself upon every boot.
It creates the following mutex.
- {1BAF61A0-C790-E8D3-9ECE-7BB26FA662F2}
[Note: C:\WINDOWS is %Windir%,C:\Documents and Settings\[User]\Application Data is %Appdata%,C:\Documents and Settings\Naveen\Local Settings is %UserProfile%]
-----Updated on Nov 10 , 2011-----------
Aliases -
- Kaspersky - Trojan-Spy.Win32.Zbot.cntc
- NOD32 - Win32/Spy.Zbot.YW
- Ikarus - Trojan-Spy.Win32.Zbot
- Microsoft - PWS:Win32/Zbot
Upon execution the Trojan injects with explorer.exe and connects to the following site [removed]ndconcert.ru through remote port 80 to download other malicious files.
The following files have been added to the system.
- %Appdata%\Aqyhn\fadaytp.exe
- %Appdata%\Weheety\fyepox.tmp
The following registry keys have been added to the system.
- HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Internet Explorer\Privacy
- HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Internet Account Manager
- HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Internet Account Manager\Accounts
- HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC
- HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot
- HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Internet Account Manager\Accounts\VeriSign
- HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere
- HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Ircih
The following registry Values have been added to the system.
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
%WinDir%\EXPLORER.EXE = "%WinDir%\EXPLORER.EXE:*:Enabled:Windows Explorer"
- HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = 0x00000000
The above mentioned registry ensures that, the Trojan disables the option for clearing the Internet Explorer cookies.
- HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Run]
{709C0C2E-AA1E-83E0-9ECE-7BB26FA662F2} = ""%Appdata%\Aqyhn\fadaytp.exe""
The above mentioned registry ensures that, the Trojan registers run entry with the compromised system and execute itself upon every boot.
- HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\LDAP Server ID = 0x00000003
- HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\Account Name: "WhoWhere Internet Directory Service"
- HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\LDAP Server = "ldap.whowhere.com"
- HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\LDAP URL = "http://www.whowhere.com"
- HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\LDAP Search Return = 0x00000064
- HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\LDAP Timeout = 0x0000003C
- HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\LDAP Authentication = 0x00000000
- HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\LDAP Simple Search = 0x00000001
- HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\LDAP Logo = "%ProgramFiles%\Common Files\Services\whowhere.bmp"
- HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Server ID = 0x00000002
- HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\Account Name = "VeriSign Internet Directory Service"
- HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Server = "directory.verisign.com"
- HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP URL = "http://www.verisign.com"
- HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Search Return = 0x00000064
- HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Timeout = 0x0000003C
- HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Authentication = 0x00000000
- HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Search Base = "NULL"
- HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Simple Search = 0x00000001
- HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Logo = "%ProgramFiles%\Common Files\Services\verisign.bmp"
- HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Server ID = 0x00000001
- HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\Account Name = "Bigfoot Internet Directory Service"
- HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Server = "ldap.bigfoot.com"
- HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP URL = "http://www.bigfoot.com"
- HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Search Return = 0x00000064
- HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Timeout = 0x0000003C
- HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Authentication = 0x00000000
- HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Simple Search = 0x00000001
- HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Logo = "%ProgramFiles%\Common Files\Services\bigfoot.bmp"
- HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Ircih\Begy = [binary data]
The Following folders were added to the system.
- %Appdata%\Aqyhn
- %Appdata%\Weheety
[Note: C:\Documents and Settings\User\Application Data is %Appdata% , C:\WINDOWS is %WinDir%,%SystemDrive% is the drive where the Operating System is installed, in most cases it will be C:\]
------------------------------------
Upon execution, the Trojan copies itself into the below mentioned location and connects to the IP address 46.19.[removed] through remote port 80 to download further malicious files.
- %UserProfile%\Start Menu\Programs\Startup\igfxtray.exe
- %Temp%/6.tmp
The Trojan executes upon every Windows Start Up.
And drops the following non malicious file
The Trojan connects to the remote site to perform the following actions
- To report a new infection to its author
- To receive configuration or other data
- To download and execute arbitrary files (including updates or additional malware)
- To receive instruction from a remote attacker
- To upload data taken from the affected computer
The following registry value has been added
- HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Internet Explorer\Main\
TabProcGrowth = “0"
The following registry values have been modified
- HKEY_LOCAL_MACHINE\ S-1-5-[varies]\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\
1609 = 0x00000000
The following folder has been added
Note –
[%UserProfile% - C:\Documents and Settings\[UserName],
%Temp% - C:\Documents and Settings\[UserName]\Local Settings\Temp,
%AppData% - C:\Documents and Settings\[UserName]\Application Data]