Submission Summary:

• Submission details:
• Submission received: 20 November 2009, 12:59:45
• Processing time: 8 min 21 sec
• Submitted sample:
• File MD5: 0xF6A5C4CEED2C45268B083488FAECB10A
• File SHA-1: 0x4EA4F2DF55E8953CF55AE66728A774B21410B660
• Filesize: 124,416 bytes
• Alias:
• Trojan.Zbot!gen2 [Symantec]
• Trojan-Spy.Win32.Zbot.gen [Kaspersky Lab]
• PWS-Zbot.gen.v [McAfee]
• Mal/EncPk-LE [Sophos]
• PWS:Win32/Zbot.gen!R [Microsoft]

• Summary of the findings:

What's been found	Severity Level
Threat characteristics of ZBot - a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.
Stealth-mode characteristics common to Rootkits.
Downloads/requests other files from Internet.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

• Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Trojan-Spy.Zbot.YETH	Trojan-Spy.Zbot.YETH is a rootkit trojan which steals online banking information and downloads other malware as well.

• Attention! The following threat categories were identified:

Threat Category	Description
	A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system

File System Modifications

• The following file was created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	[file and pathname of the sample #1] %System%\sdra64.exe	124,416 bytes	MD5: 0xF6A5C4CEED2C45268B083488FAECB10A SHA-1: 0x4EA4F2DF55E8953CF55AE66728A774B21410B660	Trojan.Zbot!gen2 [Symantec] Trojan-Spy.Win32.Zbot.gen [Kaspersky Lab] PWS-Zbot.gen.v [McAfee] Mal/EncPk-LE [Sophos] PWS:Win32/Zbot.gen!R [Microsoft]

• Note:
• %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

• Attention! The following hidden files were created in the system:

• Attention! The following hidden directory was created:
• %System%\lowsec

Memory Modifications

• There were new memory pages created in the address space of the system process(es):

Process Name	Process Filename	Allocated Size
services.exe	%System%\services.exe	151,552 bytes
lsass.exe	%System%\lsass.exe	151,552 bytes
svchost.exe	%System%\svchost.exe	151,552 bytes
svchost.exe	%System%\svchost.exe	151,552 bytes
svchost.exe	%System%\svchost.exe	151,552 bytes
svchost.exe	%System%\svchost.exe	151,552 bytes
svchost.exe	%System%\svchost.exe	151,552 bytes
alg.exe	%System%\alg.exe	151,552 bytes
IEXPLORE.EXE	%ProgramFiles%\internet explorer\iexplore.exe	151,552 bytes

• Notes:
• %ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

Registry Modifications

• The following Registry Keys were created:
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{19127AD2-394B-70F5-C650-B97867BAA1F7}
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{334613DB-50C1-B3BE-95ED-E9915A134FF1}
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
• HKEY_USERS\.DEFAULT\Software\Microsoft\Protected Storage System Provider

• The newly created Registry Values are:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network]
• UID = "%ComputerName%_0001BB3C"
• [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{19127AD2-394B-70F5-C650-B97867BAA1F7}]
• {23343233-2C66-3B33-3432-343233343233} = F7 15 F4 0E
• {EEFDB33B-91B0-A7E2-CF34-C5D4A810AF1E} = 0B 09 F2 0D
• [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{334613DB-50C1-B3BE-95ED-E9915A134FF1}]
• {3039636B-5F3D-6C64-6675-696870667265} = F7 09 F2 0D
• {33373039-3132-3864-6B30-303233343434} = 47 09 F2 0D
• {6E633338-267E-2A79-6830-386668666866} = F7 09 F2 0D
• [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}]
• {3039636B-5F3D-6C64-6675-696870667265} = F7 09 F2 0D
• {33373039-3132-3864-6B30-303233343434} = 47 09 F2 0D
• {6E633338-267E-2A79-6830-386668666866} = F7 09 F2 0D
• [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
• ProxyEnable = 0x00000000

• The following Registry Values were modified:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
• Userinit =
• [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
• Cookies =
• History =

Other details

• There was registered attempt to establish connection with the remote host. The connection details are:

• The data identified by the following URLs was then requested from the remote web server:
• http://193.104.27.42/livs/rec.php
• http://193.104.27.42/lcc/ip2.gif
• http://193.104.27.42/ip.php