| Malware name | Trojan.Spy.ZBot.nm | | Type | Trojan | | Affected platform | Win32 | | Media-Type | application/executable | | MD5 checksum | 35CEEB56649254192F2CFB4BD6D2AA46 | | Static file | no | | Filesize | 406,528 Bytes | Alias names
(also known as) | | Sophos | Mal/Generic-A | | McAfee | Spy-Agent.bw.dr.gen | | CA ETrust | Win32/Kollah.CD |
| | Side effects | - Registry modification
- Steals information
- Third party control
| | Propagation | No own spreading routine |
|
Description:
Files
It copies itself to the following location:
• %SYSDIR%\ntos.exe
The following files are created:
– Temporary files that might be deleted afterwards:
• %SYSDIR%\wsnpoem\audio.dll
• %SYSDIR%\wsnpoem\video.dll
Registry
The following registry key is changed:
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
Old value:
• "userinit" = "%SYSDIR%\userinit.exe,"
New value:
• "userinit"="%SYSDIR%\userinit.exe,%SYSDIR%\ntos.exe,"
Backdoor
The following ports are opened:
– svchost.exe on a random TCP port in order to provide backdoor capabilities.
– svchost.exe on a random TCP port in order to provide a proxy server.
– svchost.exe on a random TCP port in order to provide a Socks 4 proxy server.
Contact server: The following:
• http://77.221.133.188/**********/cfg.bin
As a result it may send information and remote control could be provided.
Injection
– It injects itself into a process.
Process name:
• svchost.exe
File details
Programming language:
The malware program was written in MS Visual C++.
Runtime packer: In order to aggravate detection and reduce size of the file it is packed with a runtime packer.
