Submission Summary:

• Submission details:
• Submission received: 6 November 2009, 05:16:24
• Processing time: 8 min 25 sec
• Submitted sample:
• File MD5: 0xBD862BC6249CDB499817928C6D18EDBE
• File SHA-1: 0x9290A0099A18C44FE05E1490438D8BEB084808EB
• Filesize: 107,008 bytes
• Alias:
• Trojan-PSW.Banker [PCTools]
• Infostealer.Banker.C [Symantec]
• Trojan-Spy.Win32.Zbot.gen [Kaspersky Lab]
• Generic PWS.y!bdl [McAfee]
• Troj/Agent-LQH [Sophos]
• PWS:Win32/Zbot.gen!R [Microsoft]
• Win-Trojan/ZBot.107008 [AhnLab]

• Summary of the findings:

What's been found	Severity Level
Threat characteristics of ZBot - a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.
Stealth-mode characteristics common to Rootkits.
Downloads/requests other files from Internet.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

• Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Trojan-Spy.Zbot.YETH	Trojan-Spy.Zbot.YETH is a rootkit trojan which steals online banking information and downloads other malware as well.

• Attention! The following threat categories were identified:

Threat Category	Description
	A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system

File System Modifications

• The following file was created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	[file and pathname of the sample #1] %System%\sdra64.exe	107,008 bytes	MD5: 0xBD862BC6249CDB499817928C6D18EDBE SHA-1: 0x9290A0099A18C44FE05E1490438D8BEB084808EB	Trojan-PSW.Banker [PCTools] Infostealer.Banker.C [Symantec] Trojan-Spy.Win32.Zbot.gen [Kaspersky Lab] Generic PWS.y!bdl [McAfee] Troj/Agent-LQH [Sophos] PWS:Win32/Zbot.gen!R [Microsoft] Win-Trojan/ZBot.107008 [AhnLab]

• Note:
• %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

• Attention! The following hidden files were created in the system:

• Attention! The following hidden directory was created:
• %System%\lowsec

Memory Modifications

• There was a new process created in the system:

• There were new memory pages created in the address space of the system process(es):

Process Name	Process Filename	Allocated Size
services.exe	%System%\services.exe	126,976 bytes
lsass.exe	%System%\lsass.exe	126,976 bytes
svchost.exe	%System%\svchost.exe	126,976 bytes
svchost.exe	%System%\svchost.exe	126,976 bytes
svchost.exe	%System%\svchost.exe	126,976 bytes
svchost.exe	%System%\svchost.exe	126,976 bytes
svchost.exe	%System%\svchost.exe	126,976 bytes
alg.exe	%System%\alg.exe	126,976 bytes

Registry Modifications

• The following Registry Keys were created:
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{334613DB-50C1-B3BE-95ED-E9915A134FF1}
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
• HKEY_USERS\.DEFAULT\Software\Microsoft\Protected Storage System Provider

• The newly created Registry Values are:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network]
• UID = "%ComputerName%_0001A6AB"
• [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{334613DB-50C1-B3BE-95ED-E9915A134FF1}]
• {3039636B-5F3D-6C64-6675-696870667265} = F7 09 F2 0D
• {33373039-3132-3864-6B30-303233343434} = 47 09 F2 0D
• [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}]
• {3039636B-5F3D-6C64-6675-696870667265} = F7 09 F2 0D
• {33373039-3132-3864-6B30-303233343434} = 47 09 F2 0D
• [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
• ProxyEnable = 0x00000000

• The following Registry Values were modified:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
• Userinit =
• [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
• Cookies =
• History =

Other details

• To mark the presence in the system, the following Mutex object was created:
• _AVIRA_21099

• The following GET request was made:
• cnk/274.gif

• The data identified by the following URLs was then requested from the remote web server:
• http://193.104.27.4/cnk/274.gif
• http://193.104.27.4/ip.php

Heuristics Analysis

• Heuristically identified list of online banking URLs that the threat attempts to compromise by injecting additional HTML code:
• http://193.104.27.42
• https://internetbanking.gad.de
• https://banking.*.de
• https://www.citibank.de
• https://onb.webcashmgmt.com
• http://www.firsttennessee.com
• http://www.arvest.com
• https://top.capitalonebank.com
• https://www.boh.com
• http://us.hsbc.com
• https://www.frostbank.com
• https://www.mibank.com
• https://rbs.com
• https://singlepoint.usbank.com
• https://www.citibank.com
• https://www.jpmorgan.com
• https://www.floridagulfbank.com
• https://bnycash.bankofny.com
• https://itreasury.regions.com
• https://www.fiservdmecorp1.net
• http://www.wellsfargo.com
• https://www.fiservla10.com
• https://businessonlinebanking.ebanking-services.com
• https://www.manufacturers.web-access.com
• https://citizensbank.ebanking-services.com
• https://ctreporter.coletaylor.com
• https://wtb.ebanking-services.com
• https://www2.alerusfinancial.com
• https://privatebk.ebanking-services.com
• https://passport.texascapitalbank.com
• https://ecash.fsbnm.com
• https://securentrycorp.calbanktrust.com
• https://www.bbvacompass.com
• https://www.cashanalyzer.com
• https://express.53.com
• https://imanage.ebanking-services.com
• https://web5.secureinternetbank.com
• https://securentrycorp.zionsbank.com
• https://www.ubi-businessonline.blilk.com
• https://ecash.dacotahbank.com
• https://securentrycorp.amegybank.com
• https://securentrycorp.nbarizona.com
• https://direct.53.com
• https://i-businessbanking.ebanking-services.com
• https://www.cbolobank.com
• https://www.us.hsbc.com
• https://online.wellsfargo.com
• https://www.paypal.com
• https://www#.usbank.com
• https://www#.citizensbankonline.com
• https://onlinebanking.nationalcity.com
• https://www.suntrust.com
• https://www.53.com
• https://web.da-us.citibank.com
• https://onlineeast#.bankofamerica.com
• https://online.wamu.com
• https://businessonline.tdbank.com
• https://online.citibank.com
• https://webexpress.tdbanknorth.com
• https://www.sterlingwires.com
• https://ffce.webcashmgmt.com
• https://trading.scottrade.com
• https://www.svbconnect.com
• https://chaseonline.chase.com
• https://www.securechemicalbankmi.com
• https://www.skagitonlinebanking.com
• https://www.ecathay.com
• https://www.americansavingsnj2.com
• https://commercial.wachovia.com
• https://internetbanking.firsttennessee.biz
• https://ibank.scnb.com
• https://cashman.arvest.com
• https://lakecitybank.webcashmgmt.com
• https://boh.webcashmgmt.com
• https://www.sterlingcorporatenetbanking.com
• https://www.directline4biz.com
• https://cm.netteller.com
• https://businessonline.huntington.com
• https://business-eb.ibanking-services.com
• https://treas-mgt.frostbank.com
• https://secure.ingdirect.com
• https://mibusinessonlinebanking.ebanking-services.com
• https://www.eastwestbankhb.com
• https://usgateway1.rbs.com
• https://usgateway2.rbs.com
• http://fbtonline.com
• https://cbs.firstcitizens.com
• https://bob.sovereignbank.com
• https://banking.calbanktrust.com
• http://www.ncsecu.org
• https://onlineaccess.ncsecu.org
• https://www.sunnb.blilk.com
• http://unfcu.org
• http://www.unfcu.org
• https://onlinetreasurymanager.suntrust.com
• https://www.whitneybank.web-access.com
• https://alltimetreasury.pacificcapitalbank.com
• https://commerceconnections.commercebank.com
• https://*.ebanking-services.com
• https://myib.firstmerchants.com
• https://businessaccess.citibank.citigroup.com
• https://www.independentcm.com
• https://www.columbiabankonline.com
• https://access.jpmorgan.com
• http://www.jpmorganaccess.com
• https://ws2.bankbyweb.net
• https://www.nationalcity.com
• https://goldleafach.com
• https://*.web-cashplus.com
• https://www.businessonlineaccess.web-cashplus.com
• https://secure.fundsxpress.com
• https://www.easterntreasuryconnect.com
• https://wellsoffice.wellsfargo.com
• https://www.mybusinessbank.co.uk
• https://www.bankoffortbendonline.com
• https://bankoffortbendonline.com
• https://www.ffsbkyonline.com
• https://cm.firstbankpr.com
• https://treasury.wamu.com
• https://cashmanagement.firstambank.com
• https://www.businesse-cashmanager.web-access.com
• https://www.bankunitedbusinessexpress.blilk.com
• https://netconnect.bokf.com
• https://www8.comerica.com
• https://ktt.key.com
• https://cashmgt.firsttennessee.biz
• https://e-access.compassbank.com
• https://web6.secureinternetbank.com
• https://www.nashvillecitizensbank.com
• https://*treasury.pncbank.com
• https://www.pnc.com
• https://www.usaa.com
• https://mfasa.chase.com
• https://infoplus.mandtbank.com
• https://treasurydirect.*.tdbank.com

• When an online banking Web server delivers a Web page to the client's browser application, the threat may inject additional fields into its login form with the purpose of stealing confidential information that the user enters into those fields. For example, the compromised login forms may look as shown below: