New ZBot Variant

March 3, 2009

SonicWALL UTM Research Team observed a new ZBot variant being distributed in the wild via drive-by download sites.

This ZBot variant was first seen in the wild on December 31, 2008 via following malicious site:

  • domainworksite.com/main/REMOVED (This domain is down now)

The malware when executed performs following tasks:

  • It runs in background and allows remote access to the compromised system.
  • It creates following files and directory:
    • C:WINDOWSsystem32twain32
    • C:WINDOWSsystem32twain32local.ds
    • C:WINDOWSsystem32twain32user.ds
    • C:WINDOWSsystem32twain32user.ds.lll
    • C:WINDOWSsystem32twex.exe
  • It creates and modifies following registry keys:
    • HKU.DEFAULTSoftwareMicrosoftWindowsCurrentVersionExplorer{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
    • HKU.DEFAULTSoftwareMicrosoftProtected Storage System Provider
    • HKU.DEFAULTSoftwareMicrosoftProtected Storage System ProviderS-1-5-18
    • HKUS-1-5-19SoftwareMicrosoftProtected Storage System Provider
    • HKUS-1-5-19SoftwareMicrosoftProtected Storage System ProviderS-1-5-19
    • HKUS-1-5-18SoftwareMicrosoftWindowsCurrentVersionExplorer{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
    • HKUS-1-5-18SoftwareMicrosoftProtected Storage System Provider
    • HKUS-1-5-18SoftwareMicrosoftProtected Storage System ProviderS-1-5-18
    • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit: "C:WINDOWSsystem32userinit.exe,C:WINDOWSsystem32twex.exe," (Ensures that it runs every time windows restart)
  • It attempts to disable any Internet proxy settings and Windows Firewall. It also attempts to acquire privileges to monitors the list of running processes.

  • It tries to resolve uplevela.net domain and sends following HTTP request: GET /awstats/admin/conf.sts

This ZBot variant is also known as Trojan-Spy.Win32.Zbot.ipx (Kaspersky), Win32/Spy.Zbot.DH (ESET), and Generic PWS.y (McAfee). SonicWALL Gateway Antivirus detects this ZBot variant as GAV: ZBot.IPX (Trojan)