W32/Zbot.CH!tr - Released Oct 28, 2009 - Last Updated Nov 02, 2009
|
Alias/esTrojan-Spy.Win32.Zbot.gen (Kaspersky), PWS-Zbot (McAfee), Mal/EncPk-LE (Sophos), Trojan horse Agent2.YPX (AVG) |
Detection Availability
|
Visible SymptomsThe following folder is created:
The following files are created:
- %SYSTEM%\sdra64.exe
- %SYSTEM%\lowsec\local.ds
- %SYSTEM%\lowsec\user.ds
- %SYSTEM%\lowsec\user.ds.lll
Possible termination of the firewall or other security applications, including antivirus monitors.
|
Detailed AnalysisThis trojan attempts to steal finance related information such as credit card numbers, bank account details, and online banking credentials. It also compromises the system, giving remote access to the victim computer.
Creates the following folder:
Creates the following files:
- %SYSTEM%\sdra64.exe
- %SYSTEM%\lowsec\local.ds
- %SYSTEM%\lowsec\user.ds
- %SYSTEM%\lowsec\user.ds.lll
May terminate the firewall or other security applications, including antivirus monitors.
It adds the following registry:
- key: HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- value: ProxyEnable
- data: 0x00000000
- key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network
- value: UID
- data: [Computer Name]_[Random Number]
- key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
- value: Userinit
- data: %SYSTEM%\userinit.exe,%SYSTEM%\sdra64.exe,
It tries to access the following IP address:
|
Recommended ActionFortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
|
