comes with a common trick for the users: it has a different icon then a usual
executable icon. In this case it’s a *.chm file icon (Microsoft Compiled HTML
Help File). We’ve also seen usage of Microsoft Excel and standard directory
icons used by Zbot.
As for most
Zbots, its infection vector is email spam.
version of Zbot is actually nothing else but a repacked version of Trojan.Spy.ZBot.UI.
It injects code in winlogon.exe allowing it to create files and connect
to the Internet undetected. Making use of this, it creates a copy of itself
into %windir%system32sdra64.exe, adding garbage to the executable so
it has a different size and md5 hash, a rather shy attempt of av-evasion. It
also creates a folder called lowsec in the same folder in which it will
write 3 files containing encrypted data: local.ds, user.ds and user.ds.lll
In order to
run at every system startup the Trojan makes changes to certain registry
entries. I also marks it’s presence on the computer by creating the following
exploit vulnerabilities outdated browsers or third party browser plugins like
ActiveX controls for PDF viewing, Flash playback and others.
The idea of
the script is to load malicious pages into beforehand specifically crafted
pages for this purpose or initially clean but later attacked websites which
have been modified to act as a medium.
which will have as a result the creation of a special iframe, which is
invisible to the eye, but will practically load another page behind the page
the victim is visiting at the moment.
page will most certainly contain several exploits for the above mentioned
plugins and whichever succeeds will download malware to the affected PC without
the users notice or consent. This type of download is called drive-by-download
code into the clean site.
in this article is available courtesy of BitDefender virus researchers: Lutas
Andrei Vlad and Marius Vanta