| Malware name | Trojan.Spy.ZBot.DPF | | Type | Trojan | | Affected platform | Win32 | | Media-Type | application/executable | | MD5 checksum | EEAD764389F7E2B1939D147B198443A3 | | Static file | yes | | Filesize | 58,368 Bytes | Alias names
(also known as) | | Sophos | Troj/Agent-HJN | | McAfee | Spy-Agent.bw | | CA ETrust | Win32/Kollah.ND |
| | Side effects | - Downloads a malicious file
- Registry modification
- Steals information
- Third party control
| | Propagation | No own spreading routine |
|
Description:
Files
It copies itself to the following location:
• %SYSDIR%\ntos.exe
The following files are created:
– Temporary files that might be deleted afterwards:
• %SYSDIR%\wnspoem\video.dll
• %SYSDIR%\wnspoem\audio.dll
It tries to download a file:
– The location is the following:
• http://dr-mahmoud.com/**********x.exe
It is saved on the local hard drive under: %TEMPDIR%\5.tmp Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as:
4026 Registry
The following registry key is changed:
– [HKLM\software\microsoft\windows nt\currentversion\winlogon]
Old value:
• "userinit"="%SYSDIR%\userinit.exe,"
New value:
• "userinit"="%SYSDIR%\userinit.exe,%SYSDIR%\ntos.exe,"
Backdoor
The following port is opened:
– svchost.exe on a random TCP port
Contact server: The following:
• http://ahleinaks.ru/**********millionertest.bin
As a result it may send information and remote control could be provided.
Injection
– It injects itself into a process.
Process name:
• winlogon.exe
File details
Runtime packer: In order to aggravate detection and reduce size of the file it is packed with a runtime packer.
