My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Trojan.Spy.ZBot.UO

HIGH
LOW
~80k
(TRojan-Spy.Win32.Zbot.gen, PWS:Win32/Zbot.PM, W32/Zbot.AA)

Symptoms

The presence of the following files:
    %WINDIR%\system32\sdra64.exe
    %WINDIR%\system32\lowsec\local.ds
    %WINDIR%\system32\lowsec\user.ds
    %WINDIR%\system32\lowsec\user.ds.lll
Where the "lowsec" directory and the executable are hidden.
 
The presence of the following registry key:
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit="%WINDIR%\system32\userinit.exe,%WINDIR%\system32\sdra64.exe,"

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Stefan Catalin Hanu, virus researcher

Technical Description:

The malware sometimes has the icon of a *.chm file ( Microsoft Compiled HTML Help File ) or other known icon. This technique is used as a social engineering method  to trick the user to launch the infection. The file is usually sent as an attachment with spam email.
 
The malware comes encrypted and under the protection layer we can find Trojan.Spy.ZBot.UI .
The virus injects code into winlogon.exe allowing it to create files or connect to the internet undetected and run on the computer without the knowledge of the user.
It copies itself to  
    %WINDIR%\system32\sdra64.exe  
but with a different size and creates the "lowsec" folder containing 3 files with encrypted data. The files are not visible using normal Windows Explorer even with the option of seeing hidden and system files on.
 
In order to run every reboot, the malware modifies
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
registry key so it will not be visible under normal Run key checking. The malware also creates the following mutex
    __SYSTEM__64AD0625__
on the infected machine.