What is TrustedSource? | Create Account | Login 
Secure Computing Corporation
 
Home  Threats and Trends  Malware Information
TrustedSource™ Query
Enter IP address, domain name or URL to check reputation/traffic patterns:
Search
 

Malware Information

Malware nameTrojan.Spy.ZBot.dkx
TypeTrojan
Affected platformWin32
Media-Typeapplication/executable
MD5 checksumDD2BDDDE963C8F6D5A9F0C0DE6D4457B
Static fileyes
Filesize56,320 Bytes
Alias names
(also known as)
SophosMal/EncPk-CZ
McAfeeSpy-Agent.bw
CA ETrustWin32/Kollah.MT
Side effects
  • Downloads a malicious file
  • Registry modification
  • Steals information
  • Third party control
PropagationNo own spreading routine

Description:

Files

It copies itself to the following location:
• %SYSDIR%\ntos.exe



The following files are created:

– Temporary files that might be deleted afterwards:
• %SYSDIR%\wnspoem\video.dll
• %SYSDIR%\wnspoem\audio.dll




It tries to download a file:

– The location is the following:
• http://alparslanovayurt.com/**********ldr.exe
It is saved on the local hard drive under: %TEMPDIR%\4.tmp Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: Trojan.Dldr.Agent.xft

Registry

The following registry key is changed:

– [HKLM\software\microsoft\windows nt\currentversion\winlogon]
Old value:
• "userinit"="%SYSDIR%\userinit.exe,"
New value:
• "userinit"="%SYSDIR%\userinit.exe,%SYSDIR%\ntos.exe,"

Email

It doesn't have its own spreading routine but it was spammed out via email. The characteristics are described in the following:


From:
The sender address is spoofed.


Subject:
The following:
• Parcel requires declaration



Body:
The body of the email is the following:

• Good day,

We have received a parcel for you, sent from France on July 9. Please fill out the customs declaration attached to this message and send it to us by mail or fax. The address and the fax number are at the bottom of the declaration form.

Kind regards,
Lucinda Addison
Your Customs Service


Attachment:
The filename of the attachment is:
• Bill_Tax.zip

The attachment is an archive containing a copy of the malware itself.

Backdoor

The following port is opened:

– svchost.exe on a random TCP port


Contact server:
The following:
• http://baltikaredison.ru/**********alaska.bin

As a result it may send information and remote control could be provided.
Injection

– It injects the following file into a process: %SYSDIR%\ntos.exe

Process name:
• winlogon.exe


File details

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.
Secure Computing Corporate Homepage | Contact | Privacy Policy | Disclaimer

Copyright © 2007-2008 Secure Computing Corporation. All Rights Reserved.

THE DATA IS FURNISHED, "AS IS" WITHOUT ANY WARRANTY OF ANY KIND, AND SECURE COMPUTING® HEREBY DISCLAIM ALL WARRANTIES, EXPRESS, IMPLIED OR STATUTORY INCLUDING, WITHOUT LIMITATION, ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, AND ANY WARRANTIES AS TO NON-INFRINGEMENT, AND IN NO EVENT SHALL SECURE COMPUTING® BE LIABLE FOR COSTS OF PROCURING SUBSTITUTE GOODS. IN NO EVENT WILL SECURE COMPUTING® BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, INCIDENTAL, EXEMPLARY, OR OTHER DAMAGES WHETHER OR NOT SECURE COMPUTING® HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.