Submission Summary:

• Submission details:
• Submission received: 25 September 2009, 09:55:08
• Processing time: 7 min 46 sec
• Submitted sample:
• File MD5: 0xF8DA3D46BF0ADE85DDFDE0FDA9BE21E7
• File SHA-1: 0x92FD8BA84D71C2C04F0ECEAFB6F3604BA44AA261
• Filesize: 96,880 bytes
• Alias:
• Trojan.Dropper [Symantec]
• Trojan-Dropper.Win32.VB.adzn [Kaspersky Lab]
• Troj/Mdrop-CGC [Sophos]
• TrojanDropper:Win32/Vwealera.A [Microsoft]
• Trojan-Dropper.Win32.VB [Ikarus]

• Summary of the findings:

What's been found	Severity Level
Threat characteristics of ZBot - a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.
Stealth-mode characteristics common to Rootkits.
Downloads/requests other files from Internet.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

• Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Trojan-Spy.Zbot.a	Trojan-Spy.Zbot.a is a banking trojan that will monitor logins to banking websites and send all captured information to a remote server. After installation, all malicious files are hidden from the user and monitoring of user activity is done through process injection.

• Attention! The following threat categories were identified:

Threat Category	Description
	A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\tmp.exe	64,000 bytes	MD5: 0x87B966309AA85102B095271980FF05E3 SHA-1: 0x94A6941CCFBACC720AD2F7B0F5A0F89B2D32EA3E	Packed.Generic.232 [Symantec] Trojan-Spy.Win32.Zbot.gen [Kaspersky Lab] Mal/Zbot-O, Mal/EncPk-CZ [Sophos] PWS:Win32/Zbot.M [Microsoft]
2	[file and pathname of the sample #1]	96,880 bytes	MD5: 0xF8DA3D46BF0ADE85DDFDE0FDA9BE21E7 SHA-1: 0x92FD8BA84D71C2C04F0ECEAFB6F3604BA44AA261	Trojan.Dropper [Symantec] Trojan-Dropper.Win32.VB.adzn [Kaspersky Lab] Troj/Mdrop-CGC [Sophos] TrojanDropper:Win32/Vwealera.A [Microsoft] Trojan-Dropper.Win32.VB [Ikarus]
3	%System%\sdra64.exe	521,216 bytes	MD5: 0xC47A01424417839BD323DC411076B391 SHA-1: 0xD32AC3D72507D544319481D6171A9A4C38B7092D	Trojan-Spy.Win32.Zbot.gen [Kaspersky Lab] Mal/Zbot-O, Mal/EncPk-CZ [Sophos] PWS:Win32/Zbot.M [Microsoft]

• Notes:
• %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
• %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

• Attention! The following hidden files were created in the system:

• Attention! The following hidden directory was created:
• %System%\lowsec

Memory Modifications

• There were new processes created in the system:

Process Name	Process Filename	Main Module Size
tmp.exe	%Temp%\tmp.exe	94,208 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	36,864 bytes

• There were new memory pages created in the address space of the system process(es):

Process Name	Process Filename	Allocated Size
services.exe	%System%\services.exe	90,112 bytes
lsass.exe	%System%\lsass.exe	90,112 bytes
svchost.exe	%System%\svchost.exe	90,112 bytes
svchost.exe	%System%\svchost.exe	90,112 bytes
svchost.exe	%System%\svchost.exe	90,112 bytes
svchost.exe	%System%\svchost.exe	90,112 bytes
svchost.exe	%System%\svchost.exe	90,112 bytes
alg.exe	%System%\alg.exe	90,112 bytes

Registry Modifications

• The following Registry Keys were created:
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
• HKEY_USERS\.DEFAULT\Software\Microsoft\Protected Storage System Provider

• The newly created Registry Values are:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network]
• UID = "%ComputerName%_0001FB14"
• [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}]
• {3039636B-5F3D-6C64-6675-696870667265} = F7 09 F2 0D
• {33373039-3132-3864-6B30-303233343434} = 47 09 F2 0D
• [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
• ProxyEnable = 0x00000000

• The following Registry Values were modified:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
• Userinit =
• [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
• Cookies =
• History =

Other details

• To mark the presence in the system, the following Mutex objects were created:
• _AVIRA_21099
• FE9390AA01CA3E00000007E82

• The following GET request was made:
• mc/c.ttf

• The data identified by the following URLs was then requested from the remote web server:
• http://68.222.251.128/mc/c.ttf
• http://www.whatismyip.com/