Submission Summary:

• Submission details:
• Submission received: 16 October 2009, 12:51:27
• Processing time: 7 min 53 sec
• Submitted sample:
• File MD5: 0xA88BDBC27321165D4A1F41810BAAC111
• File SHA-1: 0x41BB4F6D8A3C98381DBCF1A1277721B420D98984
• Filesize: 76,800 bytes
• Alias:
• Trojan-Spy.Win32.Zbot.uut [Kaspersky Lab]
• Troj/Zbot-HJ [Sophos]
• Trojan-Spy.Zeus [Ikarus]

• Summary of the findings:

What's been found	Severity Level
Threat characteristics of ZBot - a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.
Stealth-mode characteristics common to Rootkits.
Downloads/requests other files from Internet.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

• Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Trojan-Spy.Zbot.YETH	Trojan-Spy.Zbot.YETH is a rootkit trojan which steals online banking information and downloads other malware as well.

• Attention! The following threat categories were identified:

Threat Category	Description
	A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	[file and pathname of the sample #1]	76,800 bytes	MD5: 0xA88BDBC27321165D4A1F41810BAAC111 SHA-1: 0x41BB4F6D8A3C98381DBCF1A1277721B420D98984	Trojan-Spy.Win32.Zbot.uut [Kaspersky Lab] Troj/Zbot-HJ [Sophos] Trojan-Spy.Zeus [Ikarus]
2	%System%\sdra64.exe	450,560 bytes	MD5: 0x21B8DC890EB623AEF072FFCDCBD182D3 SHA-1: 0x13C5F7D73ED99169AAFE529709FE4A9EC08AAFA1	Trojan-Spy.Win32.Zbot.uut [Kaspersky Lab] Troj/Zbot-HJ [Sophos] Trojan-Spy.Zeus [Ikarus]

• Note:
• %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

• Attention! The following hidden files were created in the system:

• Attention! The following hidden directory was created:
• %System%\lowsec

Memory Modifications

• There was a new process created in the system:

• There were new memory pages created in the address space of the system process(es):

Process Name	Process Filename	Allocated Size
services.exe	%System%\services.exe	90,112 bytes
lsass.exe	%System%\lsass.exe	90,112 bytes
svchost.exe	%System%\svchost.exe	90,112 bytes
svchost.exe	%System%\svchost.exe	90,112 bytes
svchost.exe	%System%\svchost.exe	90,112 bytes
svchost.exe	%System%\svchost.exe	90,112 bytes
svchost.exe	%System%\svchost.exe	90,112 bytes
alg.exe	%System%\alg.exe	90,112 bytes

Registry Modifications

• The following Registry Keys were created:
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
• HKEY_USERS\.DEFAULT\Software\Microsoft\Protected Storage System Provider

• The newly created Registry Values are:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network]
• UID = "%ComputerName%_0002962B"
• [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}]
• {3039636B-5F3D-6C64-6675-696870667265} = F7 09 F2 0D
• {33373039-3132-3864-6B30-303233343434} = 47 09 F2 0D
• [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
• ProxyEnable = 0x00000000

• The following Registry Values were modified:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
• Userinit =
• [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
• Cookies =
• History =

Other details

• To mark the presence in the system, the following Mutex objects were created:
• 33EB721E01CA4E9A000000702
• _AVIRA_21099

• The following GET request was made:
• sally/config.bin

• The data identified by the following URLs was then requested from the remote web server:
• http://websecure32.com/sally/config.bin
• http://websecure32.com/sally/ip.php

Heuristics Analysis

• Heuristically identified list of online banking URLs that the threat attempts to compromise by injecting additional HTML code:
• https://www.gruposantander.es
• http://*odnoklassniki.ru
• http://vkontakte.ru
• https://banking.*.de
• https://internetbanking.gad.de
• https://www.citibank.de
• https://www.us.hsbc.com
• https://www.e-gold.com
• https://online.wellsfargo.com
• https://www.wellsfargo.com
• https://www.paypal.com
• https://www#.usbank.com
• https://easyweb*.tdcanadatrust.com
• https://www#.citizensbankonline.com
• https://onlinebanking.nationalcity.com
• https://www.suntrust.com
• https://www.53.com
• https://web.da-us.citibank.com
• https://onlineeast#.bankofamerica.com
• https://online.wamu.com
• https://onlinebanking#.wachovia.com
• https://resources.chase.com
• https://bancaonline.openbank.es
• https://extranet.banesto.es
• https://banesnet.banesto.es
• https://empresas.gruposantander.es
• https://www.bbvanetoffice.com
• https://www.bancajaproximaempresas.com
• https://probanking.procreditbank.bg
• https://ibank.internationalbanking.barclays.com
• https://ibank.barclays.co.uk
• https://online-offshore.lloydstsb.com
• https://online-business.lloydstsb.co.uk
• http://www.hsbc.co.uk
• https://www.nwolb.com
• https://home.ybonline.co.uk
• https://home.cbonline.co.uk
• https://welcome27.co-operativebank.co.uk
• https://welcome23.smile.co.uk
• https://www.halifax-online.co.uk
• https://www2.bancopopular.es
• https://www.bancoherrero.com
• https://pastornetparticulares.bancopastor.es
• https://intelvia.cajamurcia.es
• https://www.caja-granada.es
• https://www.fibancmediolanum.es
• https://carnet.cajarioja.es
• https://www.cajalaboral.com
• https://www.cajasoldirecto.es
• https://www.clavenet.net
• https://www.cajavital.es
• https://banca.cajaen.es
• https://www.cajadeavila.es
• https://www.caixatarragona.es
• http://caixasabadell.net
• https://www.caixaontinyent.es
• https://www.caixalaietana.es
• https://www.cajacirculo.es
• https://areasegura.banif.es
• https://www.bgnetplus.com
• https://www.caixagirona.es
• https://www.unicaja.es
• https://www.sabadellatlantico.com
• https://oi.cajamadrid.es
• https://www.cajabadajoz.es
• https://montevia.elmonte.es
• https://www.cajacanarias.es
• https://oie.cajamadridempresas.es
• https://www.gruppocarige.it
• https://bancopostaonline.poste.it
• https://privati.internetbanking.bancaintesa.it
• https://hb.quiubi.it
• https://www.iwbank.it
• https://web.secservizi.it
• https://www.isideonline.it
• https://online*.lloydstsb.co.uk
• https://www.mybank.alliance-leicester.co.uk
• https://www.ebank.hsbc.co.uk
• https://www.isbank.com.tr
• https://light.webmoney.ru
• https://olb2.nationet.com
• https://www*.banking.first-direct.com
• https://cardsonline-consumer.com
• https://www.rbsdigital.com
• https://banking*.anz.com
• https://home2ae.cd.citibank.ae
• https://internetbanking.aib.ie
• https://lot-port.bcs.ru
• https://rupay.com
• http://*.osmp.ru
• https://www.uno-e.com
• https://www.ccm.es

• When an online banking Web server delivers a Web page to the client's browser application, the threat may inject additional fields into its login form with the purpose of stealing confidential information that the user enters into those fields. For example, the compromised login forms may look as shown below: