What is TrustedSource? | Create Account | Login 
Secure Computing Corporation
 
Home  Threats and Trends  Malware Information
TrustedSource™ Query
Enter IP address, domain name or URL to check reputation/traffic patterns:
Search
 

Malware Information

Malware nameTrojan.Spy.ZBot.DPE
TypeTrojan
Affected platformWin32
Media-Typeapplication/executable
MD5 checksum606AB42E4C906F933BC9C5AB62B798D9
Static fileyes
Filesize59,904 Bytes
Alias names
(also known as)
SophosTroj/Agent-HJG
McAfeeSpy-Agent.bw
CA ETrustWin32/Kollah.NC
Side effects
  • Downloads a malicious file
  • Registry modification
  • Steals information
  • Third party control
PropagationNo own spreading routine

Description:

Files

It copies itself to the following location:
• %SYSDIR%\ntos.exe



The following files are created:

– Temporary files that might be deleted afterwards:
• %SYSDIR%\wnspoem\video.dll
• %SYSDIR%\wnspoem\audio.dll




It tries to download a file:

– The location is the following:
• http://dr-mahmoud.com/**********.exe
It is saved on the local hard drive under: %TEMPDIR%\1.tmp Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: 4026

Registry

The following registry key is changed:

– [HKLM\software\microsoft\windows nt\currentversion\winlogon]
Old value:
• "userinit"="%SYSDIR%\userinit.exe,"
New value:
• "userinit"="%SYSDIR%\userinit.exe,%SYSDIR%\ntos.exe,"

Email

It doesn't have its own spreading routine but it was spammed out via email. The characteristics are described in the following:


From:
The sender address is spoofed.


Subject:
The following:
• Rechnung N%number%

The body of the email is one of the following:

• Sehr geehre Damen und Herren,
Ihr Auftrag Nr. SP7848895 wurde erfullt.
Ein Betrag von 6536.02 EURO wurde abgebucht und wird in Ihrem Bankauszug als “Paypalabbuchung ” angezeigt.
Sie finden die Details zu der Rechnung im Anhang

PayPal (Europe)
S.158; r.l. & Cie, S.C.A.
50-40 Boulevard Royal
L-7672 Luxembourg

Hochachtungsvoll,
Vertretungsberechtigter: Armand Kruse
Handelsregisternummer: R.C.S. B 285 380


• Sehr geehrte Kunden,
Ihr Auftrag Nr. SP8742024 wurde erfullt.
Ein Betrag von 6127.53 EURO wurde abgebucht und wird in Ihrem Bankauszug als "Paypalabbuchung " angezeigt.
Sie finden die Details zu der Rechnung im Anhang

PayPal (Europe)
S.392; r.l. & Cie, S.C.A.
63-88 Boulevard Royal
L-2082 Luxembourg

Mit freundlichen Grussen,
Vertretungsberechtigter: Joanna Muller
Handelsregisternummer: R.C.S. B 922 819



Attachment:
The filename of the attachment is:
• REC719271.zip

The attachment is an archive containing a copy of the malware itself.



The email looks like the following:


Backdoor

The following port is opened:

– svchost.exe on a random TCP port


Contact server:
The following:
• http://ahleinaks.ru/**********/millionertest.bin

As a result it may send information and remote control could be provided.
Injection

– It injects the following file into a process: %SYSDIR%\ntos.exe

Process name:
• winlogon.exe


File details

Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.
Secure Computing Corporate Homepage | Contact | Privacy Policy | Disclaimer

Copyright © 2007-2008 Secure Computing Corporation. All Rights Reserved.

THE DATA IS FURNISHED, "AS IS" WITHOUT ANY WARRANTY OF ANY KIND, AND SECURE COMPUTING® HEREBY DISCLAIM ALL WARRANTIES, EXPRESS, IMPLIED OR STATUTORY INCLUDING, WITHOUT LIMITATION, ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, AND ANY WARRANTIES AS TO NON-INFRINGEMENT, AND IN NO EVENT SHALL SECURE COMPUTING® BE LIABLE FOR COSTS OF PROCURING SUBSTITUTE GOODS. IN NO EVENT WILL SECURE COMPUTING® BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, INCIDENTAL, EXEMPLARY, OR OTHER DAMAGES WHETHER OR NOT SECURE COMPUTING® HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.