Christian Mairoll 237 Posted October 4, 2009 Report Share Posted October 4, 2009 Zeus is a bad applications that can steal your important information, like online banking accounts. This is same description from the authors, “Zeus is software to steal personal user data from remote system…”. Zeus is the most popular financial malware on the Net today. a-squared Anti-Malware detects this malware as Trojan-Spy.Win32.Zbot. Zeus is also known as Zbot, Kollah, Pakes, PWSZbot, Banker, or Wsnpoem, as seen from this VirusTotal scan results: Zeus contains the following modules: Zeus Web Control Panel (to control the botnet) Zeus Builder (to create the bot, and to encrypt the configuration file) Zeus BackConnect The screenshot of Zeus builder: Usually, the bot spreads by email. At the infected machine, he will contact the server to request a configuration file that contains a list of sites that are mostly online banking. Bot is written in C++, and its encrypted. From one of our sample, this malware have such as characteristics: The bot file using fake version information: When executed, its try to copy itself to the following location, appends a random of data (junk) at the end of the file, and also its hidden from Explorer, because its hook API NtQueryDirectoryFile: %SystemRoot%System32sdra64.exe The bot may then create some of the following files, and its hidden too: %SystemRoot%System32lowseclocal.ds %SystemRoot%System32lowsecuser.ds %SystemRoot%System32lowsecuser.ds.lll Using IceSword, the hidden files and directory can be seen: It creates one of the following mutexes: _AVIRA_2110 _AVIRA_2101 _AVIRA_2108 _AVIRA_2109 _AVIRA_21099 Then it enumerates process to checks for the presence of the following programs: outpost.exe (Outpost Personal Firewall) zlclient.exe (ZoneLabs Firewall) Inject its own code to the following process: winlogon.exe svchost.exe explorer.exe It also modify the following registry entry, so the bot can run automatically whenever Windows starts: Once decrypted, we seen some interesting strings: And here’s another strings: AsystemAsoftwareAwinsta0ASetErrorModeA*%u.%u.%u.%u*AdefaultAgdiplus.dllAole32.dllAgdi32.dllADISPLAYAGdiplusStartupAGdiplusShutdownAGdipCreateBitmapFromHBITMAPAGdipDisposeImageAGdipGetImageEncodersSizeAGdipGetImageEncodersAGdipSaveImageToStreamACreateStreamOnHGlobalACreateDCAACreateCompatibleDCAGetDeviceCapsACreateCompatibleBitmapASelectObjectABitBltADeleteObjectADeleteDCArebootAshutdownAresetgrabAupcfgAkbotArename_botAgetcertsAgetmffAdelmffAsethomepageAbc_addAbc_delAblock_urlAunblock_urlAblock_fakeAunblock_fakeAkosArexeciArexecAlexeciAlexecAapplication/x-www-form-urlencodedAContent-Type: %sZCID: %sAKeys: ATYPEAFEATAPASVASTATALISTAanonymousAhttps://onlineeast#.bankofamerica.com/cgi-bin/ias/*/GotoWelcomeACustomerServiceMenuEntryPoint?custAction=75AQ%u: %sA%u: %sAAccept-Encoding:AgetfileAaddsfAdelsfAGRABBED TAN: ASKIPPED TAN: lowsecuser.dslocal.dssdra64.exeSYSTEMwinlogon.exesvchost.exeexplorer.exe$UID_AVIRA_2110_AVIRA_2101_AVIRA_2108_AVIRA_2109_AVIRA_21099userinitsoftwaremicrosoftwindows ntcurrentversionnetworksoftwaremicrosoftwindows ntcurrentversionwinlogonsoftwaremicrosoftwindowscurrentversionruncsrss.exe%s_%08X%08X%08X%08X%Xntdll.dlloutpost.exezlclient.exeimage/jpegscreens%s%04X_%08X.jpgdriversetchosts%08X.uf*.ufpasssoftwaremicrosoftwindowscurrentversionexplorercomdlg32filesearch%06X_%scerts%s_%02u_%02u_%04u.pfx How to remove the infection of Trojan-Spy.Win32.Zbot? To delete this malware infection, please download and install a-squaredAnti-Malware. Run a full scan on all drives and move all detected itemsto the quarantine. View the full article Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.