Trojan-Spy.Win32.Zbot.eja

From Total Malware Info

The Trojan-Spy is designed to steal confidential user information. It is a Windows application (PE-EXE file).Size of compontents varies from 53 to 255 bytes. It is packed with an unknown packer.

Installation

It copies its executable file as:

%System%\oembios.exe

In order to start automatically each time you start the system, the Trojan creates the link to its executable file in the system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
%System%\userinit.exe,%System%\oembios.exe

Payload

Once launched, the Trojan injects its code (Injecting) in all system processes, the injected code performs the following actions:

• It supports the existence of the Trojan executable file on your hard disk:

  %System%\oembios.exe

• It supports the existence of registry key values by which the Trojans will start automatically when you start Windows.

  [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
  %System%\userinit.exe,%System%\oembios.exe
  

• Using hooks to Internet API functions, it sniffs the data transmitted to the Internet at the following web pages:

  https://www.faktura.ru/enter.jsp?site=
  https://bc.nsk.*.ru/*
  https://ibank*.ru/*
  

  the following variables in the form of web pages are intercepted:

  &id=
  3=
  Rcmd
  

  as well as the values obtained by the following masks:

  *<input *value="
  *<option selected
  *<select
  

• It steals contents of the files:

  prv_key.pfx
  sign.cer
  *.p12
  *.pem
  *.dat
  

  the collected data is stored in the reports:

  %System%\sysproc64\sysproc32.sys
  %System%\sysproc64\sysproc86.sys
  

The collected data are transmitted to the attacker's website.

The Trojan launches an HTTP proxy server listening to a TCP port with a random number.

Removal Instructions

If your computer was not protected by an antivirus and was infected with this malware, follow these steps to remove it:

1. To remove this Trojan, you should use an antivirus program.