| Aliases: | Generic.dx!gxm (McAfee), PWS:Win32/Zbot (Microsoft), Trojan Horse (Symantec) |
| Type of infiltration: | Trojan |
| Size: | 114176 B |
| Affected platforms: | Microsoft Windows |
| Signature database version: | 4529 (20091021) |
|
Short description
The trojan collects sensitive information when the user browses certain web sites. The trojan can send the information to a remote machine. It can be controlled remotely.
Installation
When executed, the trojan copies itself into the following location:
The trojan creates the following folders:
The trojan creates the following files:
- %system%\lowsec\user.ds.lll
- %system%\lowsec\user.ds
- %system%\lowsec\local.ds
The following Registry entry is set:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon]
"Userinit" = "%system%\userinit.exe, %system%\sdra64.exe"
This causes the trojan to be executed on every system start.
The following Registry entries are created:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Network]
"UID" = "%computername%_%variable%"
- [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\
CurrentVersion\Explorer\{334613DB-50C1-B3BE-95ED-E9915A134FF1}]
"{3039636B-5F3D-6C64-6675-696870667265}" = %hex_value1%
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Network]
"UID" = "%computername%_%variable%"
- [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\
CurrentVersion\Explorer\{334613DB-50C1-B3BE-95ED-E9915A134FF1}]
"{3039636B-5F3D-6C64-6675-696870667265}" = %hex_value1%
"{33373039-3132-3864-6B30-303233343434}" = %hex_value2%
- [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\
CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}]
"{3039636B-5F3D-6C64-6675-696870667265}" = %hex_value1%
"{33373039-3132-3864-6B30-303233343434}" = %hex_value2%
- [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\
CurrentVersion\Internet Settings]
"ProxyEnable" = 0
The trojan creates and runs a new thread with its own program code within the following processes:
- winlogon.exe
- svchost.exe
- explorer.exe
Information stealing
The trojan collects sensitive information when the user browses certain web sites.
The trojan can send the information to a remote machine. The FTP protocol is used.
Other information
The trojan hooks the following Windows APIs:
- NtCreateThread (ntdll.dll)
LdrLoadDll (ntdll.dll)
LdrGetProcedureAddress (ntdll.dll)
NtQueryDirectoryFile (ntdll.dll)
- NtCreateThread (ntdll.dll)
LdrLoadDll (ntdll.dll)
LdrGetProcedureAddress (ntdll.dll)
NtQueryDirectoryFile (ntdll.dll)
- send (wsock32.dll)
sendto (wsock32.dll)
closesocket (wsock32.dll)
- send (ws2_32.dll)
sendto (ws2_32.dll)
WSASend (ws2_32.dll)
WSASendTo (ws2_32.dll)
closesocket (ws2_32.dll)
- HttpSendRequestW (wininet.dll)
HttpSendRequestA (wininet.dll)
HttpSendRequestExW (wininet.dll)
HttpSendRequestExA (wininet.dll)
InternetReadFile (wininet.dll)
InternetReadFileExW (wininet.dll)
InternetReadFileExA (wininet.dll)
InternetQueryDataAvailable (wininet.dll)
InternetCloseHandle (wininet.dll)
HttpQueryInfoA (wininet.dll)
HttpQueryInfoW (wininet.dll)
- TranslateMessage (user32.dll)
GetClipboardData (user32.dll)
- PFXImportCertStore (crypt32.dll)
The following services are disabled:
The trojan contains an URL address. It tries to download a file from the address. The HTTP protocol is used.
The file is stored in the following location:
The trojan is sent data and commands from a remote computer or the Internet.
It can execute the following operations:
- monitor network traffic
- redirect traffic
- capture screenshots
- send files to a remote computer
- download files from a remote computer and/or Internet
- retrieve information from protected storage and send it to the
remote computer
- steal information from Windows clipboard
The trojan may create and run a new thread with its own program code within any running process.
