TROJ_ZBOT.BXW - Description and solution

TrendLabs Malware Blog

Glossary

TrendWatch

TrendLabs Twitter

TROJ_ZBOT.BXW

Overview

Solution

Technical Details

Malware type: Trojan

Aliases: No Alias Found

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 2000, XP, Server 2003

Encrypted: No

Overall risk rating:

Reported infections:
Damage potential:		High
Distribution potential:		Low

Description:

Trend Micro has flagged this threat as noteworthy due to the increased potential for damage, propagation, or both, that it possesses. It also uses social engineering methods to lure users into performing certain actions that may, directly or indirectly, cause malicious routines to be performed.

TROJ_ZBOT.BXW Behavior Diagram

Malware Overview

This is the Trend Micro detection for a ZBOT variant that uses a malicious .LNK file as its startup technique.

The said .LNK file, which exploits the following vulnerability, is detected as LNK_STUXNET.SM.

Vulnerability in Windows Shell Could Allow Remote Code Execution (2286198)

This malicious file arrives via spammed mail from "Microsoft" containing a password-protected .ZIP file. Inside the .ZIP file are the binary and the .LNK files. The password for the .ZIP file is given in the message of the mail.

It only executes if the file together with the .LNK file is located in C:\ drive.

If the drive is accessed, the malicious .LNK file executes the malware file.

Upon execution, it decrypts an encrypted executable file which is embedded in its body. It then executes a file which is capable of connecting to the following website to download an .EXE file.

It attempts to steal sensitive online banking information, such as user names and passwords. This routine risks the exposure of the user's account information, which may then lead to the unauthorized use of the stolen data.

It bypasses the Windows Firewall. It hooks the APIs to intercept data that the system sends and receives. By hooking these APIs, this Trojan is also capable of intercepting data to and from Mozilla Firefox. It is also capable of stealing private keys from certificates.

It may also take screenshots and log keystrokes. Its configuration file contains links to updated copy of itself, online banking websites it monitors and a drop zone. However, as of this moment the downloaded configuration file only contains the links to its updated copy and its drop zone.

For additional information about this threat, see:
Solution
Technical Details

Description created: Jul. 26, 2010 1:48:45 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.