Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Spy.Zbot.YW

Aliases:Trojan-Spy.Win32.Zbot.ajws (Kaspersky), Suspicious.SillyFDC (Symantec), PWS:Win32/Zbot.gen!R (Microsoft) 
Type of infiltration:Trojan  
Size:105984 B 
Affected platforms:Microsoft Windows 
Signature database version:5115 (20100514) 

Short description

Win32/Spy.Zbot.YW is a trojan that steals passwords and other sensitive information. The trojan serves as a backdoor. It can be controlled remotely.

Installation

When executed, the trojan copies itself into the following location:
  • %system%d3dg86.exe
The following Registry entries are set:
  • [HKEY_LOCAL_MACHINEMicrosoftWindows NTCurrentVersion
    Winlogon]
    "UserInit" = "%originalvalue%, %system%d3dg86.exe,"
This causes the trojan to be executed on every system start.

The trojan may create the following files:
  • %system%folderl0cal.ds
  • %system%folderus3r.ds
  • %system%folderus3r.ds.lll
The trojan may set the following Registry entries:
  • [HKEY_CURRENT_USERSoftwareMicrosoftInternet Explorer
    PhishingFilter]
    "Enabled" = 0
    "EnabledV8" = 0
  • [HKEY_LOCAL_MACHINESoftwareMicrosoftInternetExplorer
    PhishingFilter]
    "Enabled" = 0
    "EnabledV8" = 0

Information stealing

Win32/Spy.Zbot.YW is a trojan that steals passwords and other sensitive information.

The following information is collected:
  • cookies
  • passwords
  • computer name
  • operating system version
  • Windows Protected Storage passwords and credentials
The trojan collects sensitive information when the user browses certain web sites.

The trojan can send the information to a remote machine.

Other information

The trojan hooks the following Windows APIs:
  • NtCreateThread (ntdll.dll)
  • NtCreateUserProcess (ntdll.dll)
  • NtQueryDirectoryFile (ntdll.dll)
  • HttpSendRequestA (wininet.dll)
  • HttpSendRequestW (wininet.dll)
  • HttpSendRequestExA (wininet.dll)
  • NtCreateThread (ntdll.dll)
  • NtCreateUserProcess (ntdll.dll)
  • NtQueryDirectoryFile (ntdll.dll)
  • HttpSendRequestA (wininet.dll)
  • HttpSendRequestW (wininet.dll)
  • HttpSendRequestExA (wininet.dll)
  • HttpSendRequestExW (wininet.dll)
  • HttpQueryInfoA (wininet.dll)
  • InternetCloseHandle (wininet.dll)
  • InternetReadFile (wininet.dll)
  • InternetReadFileExA (wininet.dll)
  • InternetQueryDataAvailable (wininet.dll)
  • closesocket (ws2_32.dll)
  • send (ws2_32.dll)
  • WSASend (ws2_32.dll)
  • GetClipboardData (user32.dll)
  • TranslateMessage (user32.dll)
  • PFXImportCertStore (crypt32.dll)
The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains an URL address. The HTTP protocol is used.

It may perform the following actions:
  • update itself to a newer version
  • block access to specific websites
  • monitor network traffic
  • steal information from the Windows clipboard
  • remove itself from the infected computer
  • run executable files
  • update itself to a newer version
  • block access to specific websites
  • monitor network traffic
  • steal information from the Windows clipboard
  • remove itself from the infected computer
  • run executable files
  • download files from a remote computer and/or the Internet
  • shut down/restart the computer
  • capture screenshots
  • set up a proxy server
  • log keystrokes
  • collect information about the operating system used
  • retrieve information from protected storage and send it to
    the remote computer
  • send gathered information