My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Trojan.Spy.ZBot.EKG

VERY LOW
MEDIUM
130560

Symptoms

The following files will be present on an infected system:
  %WINDIR%\system32\sdra64.exe 
  %WINDIR%\system32\lowsec\local.ds 
  %WINDIR%\system32\lowsec\user.ds 
  %WINDIR%\system32\lowsec\user.ds.lll 

The presence of the following registry key:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit="%WINDIR%\system32\userinit.exe,%WINDIR%\system32\sdra64.exe,"

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Lutas Andrei Vlad, virus researcher

Technical Description:

This trojan spreads via infected web-sites, where it can be downloaded and executed directly on a system via an exploit, or the user can be tricked into downloading and running it manually.
When executed, the trojan will first create a mutex named "_AVIRA_2109", in order to avoid multiple instances. It will then make a new copy of itself, inside %system% directory, as sdra64.exe, and it will inject its code inside every running process. While the trojan has code running in any process, its file (sdra64.exe) is locked from any kind of access (read/write). In order to run on every startup, the following registry key is modifed:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit=%system%\userinit.exe
by appending the trojan's path to it.
It will also create the following files:
%system%\lowsec\local.ds
%system%\lowsec\user.ds
%system%\lowsec\user.ds.lll
The trojan also has backdoor capabilities, which enables a remote attacker to connect to the victims computer and enter commands the trojan can interpret. Among the data stolen by this trojan are the digital product id of the curently installed version of Microsoft Windows, the list of ftp servers, user names/passwords (if any) stored by Total Commander, FileZilla, FAR, WinSCP 2, FTP Commander, Smart FTP (if any of these is installed). While the trojan is active, several other mutexes may be created:_H_64AD0625_, __SYSTEM__64AD0625__. It will also delete all the cookies stored by Internet Explorer's URL cache.