My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Trojan.Spy.ZBot.EHE

LOW
MEDIUM
~120 kbytes
(Trojan-Spy.Win32.Zbot.gen; Trojan.Zbot!gen2; PWS-Zbot.gen.v; PWS:Win32/Zbot.gen!R)

Symptoms

The following files will be present on an infected system:
    %WINDIR%\system32\sdra64.exe
    %WINDIR%\system32\lowsec\local.ds
    %WINDIR%\system32\lowsec\user.ds
    %WINDIR%\system32\lowsec\user.ds.lll

The presence of the following (modified) registry key:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit="%WINDIR%\system32\userinit.exe,%WINDIR%\system32\sdra64.exe,"

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Dana Stanut, virus researcher

Technical Description:

    This is another version of ZBot which is spammed via e-mail containing an attachment or a link to the malware.

    When executed it will decrypt and inject its code into winlogon.exe and into svchost.exe therefore being able to create files or access the internet without the knowledge of the user. It will then create a copy of itself into %WINDIR%\system32\sdra64.exe. It will also create the following encrypted and hidden files:
    %WINDIR%\system32\sdra64.exe
    %WINDIR%\system32\lowsec\local.ds
    %WINDIR%\system32\lowsec\user.ds
    %WINDIR%\system32\lowsec\user.ds.lll
    In order to be executed at every system startup it modifies the following registry entry:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit="%WINDIR%\system32\userinit.exe,
adding the path to sdra64.exe after the userinit path.
    Then it will download the following file on user's computer:
http://lab[removed].27.42//ip2.gif - which contains some encrypted data.
    The presence of the malware in the system is marked by the following mutexes:
__SYSTEM__64AD0625__, _AVIRA_2109, _AVIRA_2108, _AVIRA_210999, _H_64AD0625_