| Malware name | Trojan.Spy.ZBot.DFO | | Type | Trojan | | Affected platform | Win32 | | Media-Type | application/executable | | MD5 checksum | 3D287655340005C10D31540DBF696A80 | | Static file | yes | | Filesize | 71,680 Bytes | Alias names
(also known as) | | Sophos | Mal/EncPk-CZ | | McAfee | Spy-Agent.bw | | CA ETrust | Win32/Kollah.NW |
| | Side effects | - Downloads malicious files
- Registry modification
- Steals information
- Third party control
| | Propagation | No own spreading routine |
|
Description:
Files
It copies itself to the following location:
• %SYSDIR%\ntos.exe
The following files are created:
– Temporary files that might be deleted afterwards:
• %SYSDIR%\wsnpoem\audio.dll
• %SYSDIR%\wsnpoem\video.dll
It tries to download some files:
– The location is the following:
• http://66.199.242.115/**********l.exe
It is saved on the local hard drive under: %TEMPDIR%\5.tmp Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: Trojan.Drop.RKit.BJ
– The location is the following:
• http://66.199.242.115/**********er.exe
It is saved on the local hard drive under: %TEMPDIR%\6.tmp Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: Trojan.Drop.Cutwail.AO
Registry
The following registry key is changed:
– [HKLM\software\microsoft\windows nt\currentversion\winlogon]
Old value:
• userinit="%SYSDIR%\userinit.exe,"
New value:
• userinit="%SYSDIR%\userinit.exe,%SYSDIR%\ntos.exe,"
Backdoor
The following port is opened:
– svchost.exe on a random TCP port
Contact server: The following:
• http://blatundalqik.ru/**********rev.bin
As a result it may send information and remote control could be provided.
Injection
– It injects itself into a process.
Process name:
• winlogon.exe
File details
Runtime packer: In order to aggravate detection and reduce size of the file it is packed with a runtime packer.
