My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Trojan.Spy.Zeus.W

HIGH
LOW
~66k
(Trojan-Spy.Win32.Zbot.sot, PWS:Win32/ZBot.M)

Symptoms

The presence of the following files:
    %WINDIR%\system32\sdra64.exe
    %WINDIR%\system32\lowsec\local.ds
    %WINDIR%\system32\lowsec\user.ds
    %WINDIR%\system32\lowsec\user.ds.lll
Where the "lowsec" directory and the executable are hidden.
 
Also the presence of the following registry key:
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit="%WINDIR%\system32\userinit.exe,%WINDIR%\system32\sdra64.exe,"

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Stefan Catalin Hanu, virus researcher

Technical Description:

The malware has the icon of a *.chm file ( Microsoft Compiled HTML Help File ). This technique is used as a social engineering method  to trick the user to launch the infection. The file is usualy send as an attachment with spam email.
 
The malware comes encrypted and under the protection layer we can find Trojan.Spy.Zeus.C.
The virus injects code into winlogon.exe allowing it to create files undetected and run on the computer without the knowledge of the user.
It copies itself to  
    %WINDIR%\system32\sdra64.exe  
but with a different size and creates the "lowsec" folder containing 3 files containing encrypted data. The files are not visible using normal Windows Explorer even with the option of seeing hidden and system files on.
 
In order to run every reboot, the malware modifies
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
registry key so it will not be visible under normal Run key checking. The malware also creates the following mutex
    __SYSTEM__64AD0625__
on the infected machine. The malware has the capability to be used for stealing information, remote control or spamming.