Submission Summary:

• Submission details:
• Submission received: 5 November 2009, 20:39:14
• Processing time: 8 min 5 sec
• Submitted sample:
• File MD5: 0xD93A6C71990A0660406EFD547A3E8846
• File SHA-1: 0x179521B40AA8AA149E578D5813E10EE7491C0748
• Filesize: 73,728 bytes
• Alias:
• Downloader [Symantec]
• Trojan.Win32.Buzus.cdgq [Kaspersky Lab]
• Generic Dropper!bfb [McAfee]
• Trojan:Win32/Meredrop [Microsoft]
• Downloader.Delphi [Ikarus]
• Win-Trojan/ZBot.73728 [AhnLab]

• Summary of the findings:

What's been found	Severity Level
Threat characteristics of ZBot - a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.
Stealth-mode characteristics common to Rootkits.
Downloads/requests other files from Internet.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

• Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Trojan-Spy.Zbot.YETH	Trojan-Spy.Zbot.YETH is a rootkit trojan which steals online banking information and downloads other malware as well.

• Attention! The following threat categories were identified:

Threat Category	Description
	A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system
	A program that downloads files to the local computer that may represent security risk

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	[file and pathname of the sample #1]	73,728 bytes	MD5: 0xD93A6C71990A0660406EFD547A3E8846 SHA-1: 0x179521B40AA8AA149E578D5813E10EE7491C0748	Downloader [Symantec] Trojan.Win32.Buzus.cdgq [Kaspersky Lab] Generic Dropper!bfb [McAfee] Trojan:Win32/Meredrop [Microsoft] Downloader.Delphi [Ikarus] Win-Trojan/ZBot.73728 [AhnLab]
2	%System%\sdra64.exe	531,456 bytes	MD5: 0x0F24E17B37EFC555048389C10DFF3456 SHA-1: 0xEC6CDD714C033F3DE1BD511C31A8F84E44E38BA7	Downloader [Symantec] Trojan:Win32/Meredrop [Microsoft] Downloader.Delphi [Ikarus]

• Note:
• %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

• Attention! The following hidden files were created in the system:

• Attention! The following hidden directory was created:
• %System%\lowsec

Memory Modifications

• There was a new process created in the system:

• There were new memory pages created in the address space of the system process(es):

Process Name	Process Filename	Allocated Size
services.exe	%System%\services.exe	90,112 bytes
lsass.exe	%System%\lsass.exe	90,112 bytes
svchost.exe	%System%\svchost.exe	90,112 bytes
svchost.exe	%System%\svchost.exe	90,112 bytes
svchost.exe	%System%\svchost.exe	90,112 bytes
svchost.exe	%System%\svchost.exe	90,112 bytes
svchost.exe	%System%\svchost.exe	90,112 bytes
alg.exe	%System%\alg.exe	90,112 bytes

Registry Modifications

• The following Registry Keys were created:
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
• HKEY_USERS\.DEFAULT\Software\Microsoft\Protected Storage System Provider

• The newly created Registry Values are:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network]
• UID = "%ComputerName%_0001F18F"
• [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}]
• {3039636B-5F3D-6C64-6675-696870667265} = F7 09 F2 0D
• {33373039-3132-3864-6B30-303233343434} = 47 09 F2 0D
• [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
• ProxyEnable = 0x00000000

• The following Registry Values were modified:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
• Userinit =
• [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
• Cookies =
• History =

Other details

• To mark the presence in the system, the following Mutex objects were created:
• _AVIRA_21099
• 25CE321401CA5E9B000007E82

• The following GET request was made:
• 1/nbyuf3k0fgjhtnigr.bin

• The data identified by the following URLs was then requested from the remote web server:
• http://uniqez.cn/1/nbyuf3k0fgjhtnigr.bin
• http://uniqez.cn/1/ip.php

Heuristics Analysis

• Heuristically identified list of online banking URLs that the threat attempts to compromise by injecting additional HTML code:
• https://www.gruposantander.es
• http://*odnoklassniki.ru
• http://vkontakte.ru
• https://banking.*.de
• https://internetbanking.gad.de
• https://www.citibank.de
• https://online.lloydstsb.co.uk
• https://www.mybank.alliance-leicester.co.uk
• https://www.hsbc.co.uk
• https://www.halifax-online.co.uk
• http://www.halifax.co.uk
• https://www.bankofscotlandhalifax-online.co.uk
• https://your.egg.com
• https://onlinebanking.firsttrustbank.co.uk
• https://online.ybs.co.uk
• https://www.coventrybuildingsociety.co.uk
• https://www.365online.co.uk
• https://www.365online.com
• https://www.rbsdigital.com
• https://*npbs.co.uk
• https://ibank.cahoot.com
• https://*bankcardservices.co.uk
• https://*ulsterbankanytimebanking.*
• https://www.mybusinessbank.co.uk
• https://online.islamic-bank.com
• https://online-offshore.lloydstsb.com
• https://online-business.lloydstsb.co.uk
• https://easyweb*.tdcanadatrust.com
• https://www.53.com
• https://onlineeast#.bankofamerica.com
• https://resources.chase.com
• https://web.da-us.citibank.com
• https://www#.citizensbankonline.com
• https://onlinebanking.nationalcity.com
• https://goldleafach.com
• https://secure.fundsxpress.com
• https://www.columbiabankonline.com
• https://businessonline.tdbank.com
• https://webexpress.tdbanknorth.com
• https://web3.secureinternetbank.com
• https://www.sunnb.blilk.com
• http://www.unfcu.org
• https://onlinetreasurymanager.suntrust.com
• https://www.whitneybank.web-access.com
• https://alltimetreasury.pacificcapitalbank.com
• https://commerceconnections.commercebank.com
• https://myib.firstmerchants.com
• https://www.independentcm.com
• https://www.skagitonlinebanking.com
• https://www.ecathay.com
• https://www.isbnj.com
• https://ibank.scnb.com
• https://cm.netteller.com
• https://www.eastwestbankhb.com
• https://banking.calbanktrust.com
• https://www.brownshipley-online.com
• https://ibank.internationalbanking.barclays.com
• https://welcome*.smile.co.uk
• https://myonlin1111111eaccounts*.abbeynational.co.uk
• https://service.oneaccount.com
• https://www.accessmycardonline.com
• https://www.nochex.com
• https://my.if.com
• https://olb2.nationet.com
• https://home.cbonline.co.uk
• https://home.ybonline.co.uk
• https://cardsonline-consumer.com
• https://welcome*.co-operativebank.co.uk
• https://secure.ingdirect.co.uk
• https://database.acornmediauk.com
• https://uk.virginmoney.com
• https://www.nwolb.com
• https://secure.natweststockbrokers.co.uk
• https://www.caterallenonline.co.uk
• https://ibank.barclays.co.uk
• https://myonlineaccounts3.abbeynational.co.uk
• https://bcol.barclaycard.co.uk
• https://www.edirectdebit.com
• https://www.cardonebanking.com
• https://www.paypal.com
• https://www.citibank.co.uk
• https://www.icicibank.co.uk
• https://www.bankcardservices.co.uk
• https://www.capitaloneonline.co.uk
• https://*.banking.first-direct.com
• https://www.moneybookers.com

• When an online banking Web server delivers a Web page to the client's browser application, the threat may inject additional fields into its login form with the purpose of stealing confidential information that the user enters into those fields. For example, the compromised login forms may look as shown below: