My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Trojan.Spy.ZBot.VG

MEDIUM
LOW
~80 kbytes

Symptoms

The following files will be present on an infected system:
    %WINDIR%\system32\sdra64.exe
    %WINDIR%\system32\lowsec\local.ds
    %WINDIR%\system32\lowsec\user.ds
    %WINDIR%\system32\lowsec\user.ds.lll

The presence of the following registry key:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit="%WINDIR%\system32\userinit.exe,%WINDIR%\system32\sdra64.exe,"

Removal instructions:

Please let BitDefender delete the infected files.

Analyzed By

Dana Stanut, virus researcher

Technical Description:

    This version of ZBot is another encrypted version of Trojan.Spy.Zbot.UI.
    It spreads itself through spam e-mail having the subject "Who killed Michael Jackson?". The e-mail contains a link to the following address hxxp://mjackson.[removed]j.com/x-files which will try to lure the user into downloading and executing the malware.
    When executed it will decrypt and inject its code into winlogon.exe and into svchost.exe therefore being able to create files or access the internet without the knowledge of the user. It will then create a copy of itself into %WINDIR%\system32\sdra64.exe and add some garbage at the end of it in order to have a different md5 hash thus trying to avoid av detection. It will also create the following encrypted and hidden files:
    %WINDIR%\system32\sdra64.exe
    %WINDIR%\system32\lowsec\local.ds
    %WINDIR%\system32\lowsec\user.ds
    %WINDIR%\system32\lowsec\user.ds.lll
    In order to be executed at every system startup it modifies the following registry key:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit="%WINDIR%\system32\userinit.exe,
adding the path to sdra64.exe after the userinit path.
    Then it will download the following file on user's computer:
http://lab[removed].com/lbrc/lbr.bin - which contains some encrypted data.
    To mark its presence in the system the following mutexes will be created:
__SYSTEM__64AD0625__, _AVIRA_2109, _AVIRA_2108, _AVIRA_210999, _H_64AD0625_