/* Style Definitions */
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-fareast-font-family:”Times New Roman”;
mso-bidi-font-family:”Times New Roman”;
version of the Zeuz bot tries to trick users into executing it by displaying
the icon of a *.chm (Microsoft Compiled Help File) as its own icon. The file is
generally sent out by spam messages containing various messages (pornography,
cataclysmic events, etc).
decryption BitDefender engines detect the resulting file to be
Trojan.Spy.Zeus.C. Its first action is to inject code into “winlogon.exe”
allowing it to run and manipulate the filesystem undetected.
itself to “%windir%system32sdra64.exe” with a different size and creates a
folder “lowsec” in which it drops 3 files which contain encrypted data. All the
files are hidden from Windows Explorer.
also creates registry keys in order to be executed at every system startup and
a mutex in order to mark its presence.
family has the capability to be used as for stealing information (mostly online
banking authentication details), remote control and spamming.
password stealer comes bundled inside another application that is used to
remove certain security features. The dropper is detected as
PWS.OnlineGames.KBZA and after execution it will copy
“%windir%system32sfc_os.dll” (used by windows to protect files) into
“%windir%system32mmsfc1.dll”. Then it calls a certain function from
“mmsfc1.dll” in order to overwrite “%windir%system32comres.dll” with its own,
encryted, dll (the password stealer). The original “comres.dll” will be saved
“comres.dll” will be injected into every running process and will monitor the
keystrokes and mouse gestures of the user. The final goal of the application is
to steal authentication data from QQ Login, Dungeon and Fighter and Tenio.
A copy of
the password stealer (the replaced comres.dll) will be also created in
“%windir%fOntS” which is injected into all the processes the first time the PC
gets infected. After reboot the replaced “comres.dll” is launched by the system
component responsible with sending the gathered information is also dropped
inside “%windir%fOntS” as the file GHT60366.ttf detected by BitDefender as
passwords, server, ingame currency, equipment, level a.s.o will be sent to web
pages located on:
successful infection, the dropper deletes itself.
in this article is available courtesy of BitDefender virus researchers: Stefan
Catalin Hanu and Dana Stanut