TR/Spy.ZBot.dnv - Trojan

See also

Summary

Full description

Statistics

Virus:	TR/Spy.ZBot.dnv
Date discovered:	31/07/2008
Type:	Trojan
Subtype:	Spy
In the wild:	Yes
Reported Infections:	Low to medium
Distribution Potential:	Low
Damage Potential:	Medium
Static file:	Yes
File size:	60.416 Bytes
MD5 checksum:	fa9e2f54724b0af452a91c8dd72814eb
IVDF version:	7.00.05.195 - Thu, 31 Jul 2008 08:49 (GMT+1)

General Method of propagation:
   • No own spreading routine

Aliases:
   • Symantec: Trojan.Wsnpoem
   • Mcafee: Spy-Agent.bw trojan
   • Kaspersky: Trojan-Spy.Win32.Zbot.dnv
   • TrendMicro: TSPY_ZBOT.OJ
   • F-Secure: Trojan-Spy.Win32.Zbot.dnv
   • Sophos: Troj/Zbot-AE
   • Grisoft: Pakes_c_SE
   • Eset: Win32/Spy.Agent.PZ trojan
   • Bitdefender: Trojan.Agent.AJKG

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Downloads a malicious file
   • Registry modification
   • Steals information
   • Third party control

Files It copies itself to the following location:
   • %SYSDIR%\ntos.exe

The following files are created:

– Temporary files that might be deleted afterwards:
   • %SYSDIR%\wnspoem\video.dll
   • %SYSDIR%\wnspoem\audio.dll

It tries to download a file:

– The location is the following:
   • http://66.199.242.115/**********.exe
It is saved on the local hard drive under: %TEMPDIR%\feed.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Drop.Agent.VUF

Registry The following registry key is changed:

– [HKLM\software\microsoft\windows nt\currentversion\winlogon]
   Old value:
   • "userinit"="%SYSDIR%\userinit.exe,"
   New value:
   • "userinit"="%SYSDIR%\userinit.exe,%SYSDIR%\ntos.exe,"

Backdoor The following port is opened:

– svchost.exe on a random TCP port

Contact server:
The following:
• http://ahleinaks.ru/**********millioner.bin

As a result it may send information and remote control could be provided.

Injection – It injects the following file into a process: %SYSDIR%\ntos.exe

Process name:
• winlogon.exe

File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

See a brief description here.

Description inserted by Andreas Feuerstein on Thu, 31 Jul 2008 14:26 (GMT+1)
Description updated by Andreas Feuerstein on Thu, 31 Jul 2008 14:44 (GMT+1)

» About Malware
» About Phishing
» Viruses In the Wild

« back