Trojan-Spy.Win32.Zbot.ci

From Total Malware Info

Jump to: navigation, search
The description for Trojan-Spy.Win32.Zbot.ci was created during beta-test of «Malware description on demand» service. Learn more about at: www.dnt-lab.com/en/services.
Trojan-Spy.Win32.Zbot.ci

Last edited:

5.8.2010

The Trojan-Spy is designed to steal confidential user information. It is a Windows application (PE-EXE file). Its size is 42,496 bytes. It is packed with unknown packer, its unpacked size is 139 KB.

Installation

It copies its executable file as: 

%System%\ntos.exe

In order to start automatically each time you start the system, the Trojan creates the link to its executable file in the system registry: 

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
Userinit=%System%\userinit.exe,%System%\ntos.exe,

The Trojan creates a thread that continuously restores the original trojan's file on the hard disk and the startup entries in the registry.

Payload

It creates an empty file: 

%System32%\drivers\jlif.sys

It injects its code into all running processes in the system, which performs the following actions:

It steals encryption keys for software called Quik.

To do this, the trojan searches in the folder containing the Quik software for a file named qrypto.cfg. Then the trojan reads a path to the storage of public and private keys from the following options: 

secring=<path>\pubring.txk
pubring=<path>\secring.txk

then using the qrypto32.dll library, which is a part of Quik, the Trojan extracts the keys from the repository and sends to the attacker's website.

It hooks the following parameters: 

PAYMENT_AMOUNT
PAYEE_ACCOUNT
pass

On the following web pages: 

https://onlineeast#.bankofamerica.com/cgi-bin/ias/

and sends a report to a website of criminals.

It creates the files: 

%System%\wsnpoem\audio.dll
%System%\wsnpoem\video.dll

which store the collected information temprarily.

The collected data are sent with an HTTP request to the following address: 

203.121.79.71

It starts the HTTP proxy server on the user's computer on a TCP port with a random number and notifies the attacker's website using the HTTP request.

Removal Instructions

If your computer was not protected by an antivirus and was infected with this malware, follow these steps to remove it:

  1. To remove this Trojan, you should use an antivirus program with updated anti-virus databases.
Can't find a description for a specific malware?
You can order a description for any computer malware, virus, trojan or worm.
Retrieved from "http://www.totalmalwareinfo.com/eng/Trojan-Spy.Win32.Zbot.ci"
Language
Video Tutorials
Computer and Internet Security Video Tutorials
© 2011 "Design and Test Lab", LLC. All rights reserved.