| Malware name | Trojan.Spy.ZBot.DPI | | Type | Trojan | | Affected platform | Win32 | | Media-Type | application/executable | | MD5 checksum | ED0F6E240D5DB97A027238279883BE69 | | Static file | yes | | Filesize | 59,392 Bytes | Alias names
(also known as) | | Sophos | Troj/Dloadr-BPX | | McAfee | Spy-Agent.bw.gen.f | | CA ETrust | Win32/Kollah.NG |
| | Side effects | - Downloads a malicious file
- Registry modification
- Steals information
- Third party control
| | Propagation | No own spreading routine |
|
Description:
Files
It copies itself to the following location:
• %SYSDIR%\ntos.exe
The following files are created:
– Temporary files that might be deleted afterwards:
• %SYSDIR%\wnspoem\video.dll
• %SYSDIR%\wnspoem\audio.dll
It tries to download a file:
– The location is the following:
• http://dr-mahmoud.com/**********l.exe
Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as:
3040 Registry
The following registry key is changed:
– [HKLM\software\microsoft\windows nt\currentversion\winlogon]
Old value:
• "userinit"="%SYSDIR%\userinit.exe,"
New value:
• "userinit"="%SYSDIR%\userinit.exe,%SYSDIR%\ntos.exe,"
Backdoor
The following port is opened:
– svchost.exe on a random TCP port
Contact server: The following:
• http://blatundalqik.ru/**********/rev.bin
As a result it may send information and remote control could be provided.
Injection
– It injects itself into a process.
Process name:
• winlogon.exe
File details
Runtime packer: In order to aggravate detection and reduce size of the file it is packed with a runtime packer.
