Submission Summary:

• Submission details:
• Submission received: 5 October 2009, 13:36:19
• Processing time: 8 min 20 sec
• Submitted sample:
• File MD5: 0xAFBF7C802B3CCBBEC4689E6AEE2B2593
• File SHA-1: 0x79B752A466D590C84F9D4C4F532537E92123D15C
• Filesize: 88,576 bytes
• Alias:
• PWS:Win32/Zbot.gen!R [Microsoft]
• PWS.Win32 [Ikarus]

• Summary of the findings:

What's been found	Severity Level
Threat characteristics of ZBot - a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.
Stealth-mode characteristics common to Rootkits.
Downloads/requests other files from Internet.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

• Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Trojan-Spy.Zbot.YETH	Trojan-Spy.Zbot.YETH is a rootkit trojan which steals online banking information and downloads other malware as well.

• Attention! The following threat categories were identified:

Threat Category	Description
	A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system

File System Modifications

• The following file was created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	[file and pathname of the sample #1] %System%\sdra64.exe	88,576 bytes	MD5: 0xAFBF7C802B3CCBBEC4689E6AEE2B2593 SHA-1: 0x79B752A466D590C84F9D4C4F532537E92123D15C	PWS:Win32/Zbot.gen!R [Microsoft] PWS.Win32 [Ikarus]

• Note:
• %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

• Attention! The following hidden files were created in the system:

• Attention! The following hidden directory was created:
• %System%\lowsec

Memory Modifications

• There was a new process created in the system:

• There were new memory pages created in the address space of the system process(es):

Process Name	Process Filename	Allocated Size
services.exe	%System%\services.exe	102,400 bytes
lsass.exe	%System%\lsass.exe	102,400 bytes
svchost.exe	%System%\svchost.exe	102,400 bytes
svchost.exe	%System%\svchost.exe	102,400 bytes
svchost.exe	%System%\svchost.exe	102,400 bytes
svchost.exe	%System%\svchost.exe	102,400 bytes
svchost.exe	%System%\svchost.exe	102,400 bytes
alg.exe	%System%\alg.exe	102,400 bytes

Registry Modifications

• The following Registry Keys were created:
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
• HKEY_USERS\.DEFAULT\Software\Microsoft\Protected Storage System Provider

• The newly created Registry Values are:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network]
• UID = "%ComputerName%_00028D23"
• [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}]
• {3039636B-5F3D-6C64-6675-696870667265} = F7 09 F2 0D
• {33373039-3132-3864-6B30-303233343434} = 47 09 F2 0D
• [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
• ProxyEnable = 0x00000000

• The following Registry Values were modified:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
• Userinit =
• [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
• Cookies =
• History =

Other details

• To mark the presence in the system, the following Mutex objects were created:
• A4ACE00201CA45FB000000742
• _AVIRA_21099

• The following GET request was made:
• pro/pew.bin

• The data identified by the following URLs was then requested from the remote web server:
• http://vaseacubmw.com/pro/pew.bin
• http://www.whatsmyipaddress.com/

Heuristics Analysis

• Heuristically identified list of online banking URLs that the threat attempts to compromise by injecting additional HTML code:
• https://banking.*.de
• https://internetbanking.gad.de
• https://www.citibank.de
• https://www.us.hsbc.com
• https://www.e-gold.com
• https://online.wellsfargo.com
• https://www.wellsfargo.com
• https://www.paypal.com
• https://www#.usbank.com
• https://easyweb*.tdcanadatrust.com
• https://www#.citizensbankonline.com
• https://onlinebanking.nationalcity.com
• https://www.suntrust.com
• https://www.53.com
• https://web.da-us.citibank.com
• https://onlineeast#.bankofamerica.com
• https://online.wamu.com
• https://onlinebanking#.wachovia.com
• https://resources.chase.com
• https://bancaonline.openbank.es
• https://extranet.banesto.es
• https://banesnet.banesto.es
• https://empresas.gruposantander.es
• https://www.gruposantander.es
• https://www.bbvanetoffice.com
• https://www.bancajaproximaempresas.com
• https://probanking.procreditbank.bg
• https://ibank.internationalbanking.barclays.com
• https://ibank.barclays.co.uk
• https://online-offshore.lloydstsb.com
• https://online-business.lloydstsb.co.uk
• http://www.hsbc.co.uk
• https://www.nwolb.com
• https://home.ybonline.co.uk
• https://home.cbonline.co.uk
• https://welcome27.co-operativebank.co.uk
• https://welcome23.smile.co.uk
• https://www.halifax-online.co.uk
• https://www2.bancopopular.es
• https://www.bancoherrero.com
• https://pastornetparticulares.bancopastor.es
• https://intelvia.cajamurcia.es
• https://www.caja-granada.es
• https://www.fibancmediolanum.es
• https://carnet.cajarioja.es
• https://www.cajalaboral.com
• https://www.cajasoldirecto.es
• https://www.clavenet.net
• https://www.cajavital.es
• https://banca.cajaen.es
• https://www.cajadeavila.es
• https://www.caixatarragona.es
• http://caixasabadell.net
• https://www.caixaontinyent.es
• https://www.caixalaietana.es
• https://www.cajacirculo.es
• https://areasegura.banif.es
• https://www.bgnetplus.com
• https://www.caixagirona.es
• https://www.unicaja.es
• https://www.sabadellatlantico.com
• https://oi.cajamadrid.es
• https://www.cajabadajoz.es
• https://montevia.elmonte.es
• https://www.cajacanarias.es
• https://oie.cajamadridempresas.es
• https://www.gruppocarige.it
• https://bancopostaonline.poste.it
• https://privati.internetbanking.bancaintesa.it
• https://hb.quiubi.it
• https://www.iwbank.it
• https://web.secservizi.it
• https://www.isideonline.it
• https://online*.lloydstsb.co.uk
• https://www.mybank.alliance-leicester.co.uk
• https://www.ebank.hsbc.co.uk
• https://www.isbank.com.tr
• https://light.webmoney.ru
• https://olb2.nationet.com
• https://www*.banking.first-direct.com
• https://cardsonline-consumer.com
• https://www.rbsdigital.com
• https://banking*.anz.com
• https://home2ae.cd.citibank.ae
• https://internetbanking.aib.ie
• https://lot-port.bcs.ru
• https://rupay.com
• http://*.osmp.ru
• https://www.uno-e.com
• https://www.ccm.es

• When an online banking Web server delivers a Web page to the client's browser application, the threat may inject additional fields into its login form with the purpose of stealing confidential information that the user enters into those fields. For example, the compromised login forms may look as shown below: