| Malware name | Trojan.Spy.ZBot.dnv | | Type | Trojan | | Affected platform | Win32 | | Media-Type | application/executable | | MD5 checksum | FA9E2F54724B0AF452A91C8DD72814EB | | Static file | yes | | Filesize | 60,416 Bytes | Alias names
(also known as) | | Sophos | Troj/Zbot-AE | | McAfee | Spy-Agent.bw | | CA ETrust | Win32/Kollah.NA |
| | Side effects | - Downloads a malicious file
- Registry modification
- Steals information
- Third party control
| | Propagation | No own spreading routine |
|
Description:
Files
It copies itself to the following location:
• %SYSDIR%\ntos.exe
The following files are created:
– Temporary files that might be deleted afterwards:
• %SYSDIR%\wnspoem\video.dll
• %SYSDIR%\wnspoem\audio.dll
It tries to download a file:
– The location is the following:
• http://66.199.242.115/**********.exe
It is saved on the local hard drive under: %TEMPDIR%\feed.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: Trojan.Drop.Agent.VUF
Registry
The following registry key is changed:
– [HKLM\software\microsoft\windows nt\currentversion\winlogon]
Old value:
• "userinit"="%SYSDIR%\userinit.exe,"
New value:
• "userinit"="%SYSDIR%\userinit.exe,%SYSDIR%\ntos.exe,"
Backdoor
The following port is opened:
– svchost.exe on a random TCP port
Contact server: The following:
• http://ahleinaks.ru/**********millioner.bin
As a result it may send information and remote control could be provided.
Injection
– It injects the following file into a process: %SYSDIR%\ntos.exe
Process name:
• winlogon.exe
File details
Runtime packer: In order to aggravate detection and reduce size of the file it is packed with a runtime packer.
