Submission Summary:

• Submission details:
• Submission received: 6 November 2009, 14:24:55
• Processing time: 7 min 27 sec
• Submitted sample:
• File MD5: 0x749EB132C98138D1A87D2FD486CDF30C
• File SHA-1: 0x61225A08CBB5BABF0077D50E11E60372CFF484D6
• Filesize: 107,008 bytes
• Alias:
• Trojan.Zbot [PCTools]
• Trojan.Zbot!gen2 [Symantec]

• Summary of the findings:

What's been found	Severity Level
Threat characteristics of ZBot - a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.
Stealth-mode characteristics common to Rootkits.
Downloads/requests other files from Internet.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

• Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Trojan-Spy.Zbot.YETH	Trojan-Spy.Zbot.YETH is a rootkit trojan which steals online banking information and downloads other malware as well.

• Attention! The following threat categories were identified:

Threat Category	Description
	A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system

File System Modifications

• The following file was created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	[file and pathname of the sample #1] %System%\sdra64.exe	107,008 bytes	MD5: 0x749EB132C98138D1A87D2FD486CDF30C SHA-1: 0x61225A08CBB5BABF0077D50E11E60372CFF484D6	Trojan.Zbot [PCTools] Trojan.Zbot!gen2 [Symantec]

• Note:
• %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

• Attention! The following hidden files were created in the system:

• Attention! The following hidden directory was created:
• %System%\lowsec

Memory Modifications

• There was a new process created in the system:

• There were new memory pages created in the address space of the system process(es):

Process Name	Process Filename	Allocated Size
services.exe	%System%\services.exe	131,072 bytes
lsass.exe	%System%\lsass.exe	131,072 bytes
svchost.exe	%System%\svchost.exe	131,072 bytes
svchost.exe	%System%\svchost.exe	131,072 bytes
svchost.exe	%System%\svchost.exe	131,072 bytes
svchost.exe	%System%\svchost.exe	131,072 bytes
svchost.exe	%System%\svchost.exe	131,072 bytes
alg.exe	%System%\alg.exe	131,072 bytes

Registry Modifications

• The following Registry Keys were created:
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{334613DB-50C1-B3BE-95ED-E9915A134FF1}
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
• HKEY_USERS\.DEFAULT\Software\Microsoft\Protected Storage System Provider

• The newly created Registry Values are:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network]
• UID = "%ComputerName%_00028D71"
• [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{334613DB-50C1-B3BE-95ED-E9915A134FF1}]
• {3039636B-5F3D-6C64-6675-696870667265} = F7 09 F2 0D
• {33373039-3132-3864-6B30-303233343434} = 47 09 F2 0D
• [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}]
• {3039636B-5F3D-6C64-6675-696870667265} = F7 09 F2 0D
• {33373039-3132-3864-6B30-303233343434} = 47 09 F2 0D
• [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
• ProxyEnable = 0x00000000

• The following Registry Values were modified:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
• Userinit =
• [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
• Cookies =
• History =

Other details

• To mark the presence in the system, the following Mutex objects were created:
• 1DD6856C01CA5F30000000702
• _AVIRA_21099

• The following GET request was made:
• lcc/ip2.gif

• The data identified by the following URLs was then requested from the remote web server:
• http://193.104.27.42/lcc/ip2.gif
• http://193.104.27.42/ip.php

Heuristics Analysis

• Heuristically identified list of online banking URLs that the threat attempts to compromise by injecting additional HTML code:
• http://193.104.27.42
• https://internetbanking.gad.de
• https://banking.*.de
• https://www.citibank.de
• https://onb.webcashmgmt.com
• http://www.firsttennessee.com
• http://www.arvest.com
• https://top.capitalonebank.com
• https://www.boh.com
• http://us.hsbc.com
• https://www.frostbank.com
• https://www.mibank.com
• https://rbs.com
• https://singlepoint.usbank.com
• https://www.citibank.com
• https://www.jpmorgan.com
• https://www.floridagulfbank.com
• https://bnycash.bankofny.com
• https://itreasury.regions.com
• https://www.fiservdmecorp1.net
• http://www.wellsfargo.com
• https://www.fiservla10.com
• https://businessonlinebanking.ebanking-services.com
• https://www.manufacturers.web-access.com
• https://citizensbank.ebanking-services.com
• https://ctreporter.coletaylor.com
• https://wtb.ebanking-services.com
• https://www2.alerusfinancial.com
• https://privatebk.ebanking-services.com
• https://passport.texascapitalbank.com
• https://ecash.fsbnm.com
• https://securentrycorp.calbanktrust.com
• https://www.bbvacompass.com
• https://www.cashanalyzer.com
• https://express.53.com
• https://imanage.ebanking-services.com
• https://web5.secureinternetbank.com
• https://securentrycorp.zionsbank.com
• https://www.ubi-businessonline.blilk.com
• https://ecash.dacotahbank.com
• https://securentrycorp.amegybank.com
• https://securentrycorp.nbarizona.com
• https://direct.53.com
• https://i-businessbanking.ebanking-services.com
• https://www.cbolobank.com
• https://www.us.hsbc.com
• https://online.wellsfargo.com
• https://www.paypal.com
• https://www#.usbank.com
• https://www#.citizensbankonline.com
• https://onlinebanking.nationalcity.com
• https://www.suntrust.com
• https://www.53.com
• https://web.da-us.citibank.com
• https://onlineeast#.bankofamerica.com
• https://online.wamu.com
• https://businessonline.tdbank.com
• https://online.citibank.com
• https://webexpress.tdbanknorth.com
• https://www.sterlingwires.com
• https://ffce.webcashmgmt.com
• https://trading.scottrade.com
• https://www.svbconnect.com
• https://chaseonline.chase.com
• https://www.securechemicalbankmi.com
• https://www.skagitonlinebanking.com
• https://www.ecathay.com
• https://www.americansavingsnj2.com
• https://commercial.wachovia.com
• https://internetbanking.firsttennessee.biz
• https://ibank.scnb.com
• https://cashman.arvest.com
• https://lakecitybank.webcashmgmt.com
• https://boh.webcashmgmt.com
• https://www.sterlingcorporatenetbanking.com
• https://www.directline4biz.com
• https://cm.netteller.com
• https://businessonline.huntington.com
• https://business-eb.ibanking-services.com
• https://treas-mgt.frostbank.com
• https://secure.ingdirect.com
• https://mibusinessonlinebanking.ebanking-services.com
• https://www.eastwestbankhb.com
• https://usgateway1.rbs.com
• https://usgateway2.rbs.com
• http://fbtonline.com
• https://cbs.firstcitizens.com
• https://bob.sovereignbank.com
• https://banking.calbanktrust.com
• http://www.ncsecu.org
• https://onlineaccess.ncsecu.org
• https://www.sunnb.blilk.com
• http://unfcu.org
• http://www.unfcu.org
• https://onlinetreasurymanager.suntrust.com
• https://www.whitneybank.web-access.com
• https://alltimetreasury.pacificcapitalbank.com
• https://commerceconnections.commercebank.com
• https://*.ebanking-services.com
• https://myib.firstmerchants.com
• https://businessaccess.citibank.citigroup.com
• https://www.independentcm.com
• https://www.columbiabankonline.com
• https://access.jpmorgan.com
• http://www.jpmorganaccess.com
• https://ws2.bankbyweb.net
• https://www.nationalcity.com
• https://goldleafach.com
• https://*.web-cashplus.com
• https://www.businessonlineaccess.web-cashplus.com
• https://secure.fundsxpress.com
• https://www.easterntreasuryconnect.com
• https://wellsoffice.wellsfargo.com
• https://www.mybusinessbank.co.uk
• https://www.bankoffortbendonline.com
• https://bankoffortbendonline.com
• https://www.ffsbkyonline.com
• https://cm.firstbankpr.com
• https://treasury.wamu.com
• https://cashmanagement.firstambank.com
• https://www.businesse-cashmanager.web-access.com
• https://www.bankunitedbusinessexpress.blilk.com
• https://netconnect.bokf.com
• https://www8.comerica.com
• https://ktt.key.com
• https://cashmgt.firsttennessee.biz
• https://e-access.compassbank.com
• https://web6.secureinternetbank.com
• https://www.nashvillecitizensbank.com
• https://*treasury.pncbank.com
• https://www.pnc.com
• https://www.usaa.com
• https://mfasa.chase.com
• https://infoplus.mandtbank.com
• https://treasurydirect.*.tdbank.com

• When an online banking Web server delivers a Web page to the client's browser application, the threat may inject additional fields into its login form with the purpose of stealing confidential information that the user enters into those fields. For example, the compromised login forms may look as shown below: