W32/Zbot.GXN!tr.spy

Alias/esTrojan-Spy.Win32.Zbot.gxn (Kaspersky), TrojanSpy:Win32/Zbot.gen!C (Microsoft), Trojan-Spy:W32/Zbot.YE (F-Secure)
Release DateNov 24, 2008
Detection Availability
Active DatabaseExtended Database
FortiGatelowhigh
FortiClient
FortiMailN/A
Current Antivirus Definition Database Version: 12.202
Description

Visible Symptoms

  • The following folders exist:
    • C:\WINDOWS\system32\twain_32
    • C:\Documents and Settings\LocalService\Application Data\twain_32
  • The following files exist:
    • C:\WINDOWS\system32\twain_32\local.ds
    • C:\WINDOWS\system32\twain_32\user.ds
    • C:\WINDOWS\system32\twext.exe
    • C:\Documents and Settings\LocalService\Application Data\twain_32\user.ds
  • Possible termination of the firewall or other security applications, including antivirus monitors.

    • Detailed Analysis

    W32/ZBot.GXN!tr.spy is a banking trojan that disables the Windows firewall and steals user information such as online banking credentials and credit card numbers.


  • It creates the following folders:
    • C:\WINDOWS\system32\twain_32
    • C:\Documents and Settings\LocalService\Application Data\twain_32
  • It creates the following files:
    • C:\WINDOWS\system32\twain_32\local.ds
    • C:\WINDOWS\system32\twain_32\user.ds
    • C:\WINDOWS\system32\twext.exe
    • C:\Documents and Settings\LocalService\Application Data\twain_32\user.ds
  • It uses the following mutex:
    • __SYSTEM__Number__
  • It creates the following registry to automatically execute twext.exe  every time Windows is started:
    • key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    • value: Userinit
    • data: C:\WINDOWS\system32\twext.exe (added the dropped file path to the original path)
  • It terminates the Windows firewall by creating the following registry:
    • key: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
    • value: EnableFirewall
    • data: 0
  • It also adds the following registry:
    • key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network
    • value: UID
    • data: Hostname_Number (eg: Hostname_000D2C8F)
  • It tries to access the following URL:
    • pavel[removed].ru/pavel/conf.bin

    Description Last Updated Date: Nov 25, 2008
    Reference: ID - 635352