Subscriptions | RSS Feeds | Discussions | Polls | Site Map




All Threats

Viruses

Hackers

Spam
Whole site    Viruses
  
Virus Encyclopedia
Riskware
Alerts
Analysis
News
Glossary
Weblog


Malware Environment
Malware Descriptions
Who Creates Malware
History of Malware
Malware Trends
If Your Computer Is Infected

 
About Hackers
About Hackers

Find out more about hackers and vulnerabilities in our About Hackers and Vulnerabilities section.
About Spam
About Spam

Read about spam and spammers in our About Spam section.

 		 

  Home / Viruses / Virus Encyclopedia

Trojan-Spy.Win32.Zbot.ikh

Detection added Dec 21 2008
Update released Dec 21 2008 21:50 GMT
Description added Feb 06 2009

Technical details

This Trojan is designed to steal confidential data. It is a Windows PE EXE file. It is 67072 bytes in size.

Installation

The Trojan copies its executable file to the Windows system directory: 

%System%\twex.exe

In order to ensure that the Trojan is launched automatically when the system is rebooted, the Trojan adds a link to its executable file in the system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"userinit" = "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twex.exe,"
Payload

The Trojan injects its code into all processes running on the victim machine and installs hooks for the API functions shown below:

NtCreateFile

NtQueryDirectoryInformation

LdrLoadDll

LdrGetProcedureAddress

NtCreateThread

EndDialog

DestroyWindow

TranslateMessage

GetClipboardData

The Trojan uses these hooks to track the activity of the WebMoney Keeper application. When the program is used to authorize the user on the payment site, the Trojan harvests the following information:

  • Purse number (WMID);
  • Password;
  • Mode (standard/e-num storage)
  • WebMoney Keeper version;
  • User’s current balance

The Trojan also searches the system for windows of the following classes:

SunAwtDialog

javax.swing.Jframe

which have the headings shown below:

Âõîä â ñèñòåìó
[Vkhod v sistemy – “Enter system”] 

Ñèíõðîíèçàöèÿ
ñ Áàíêîì [Sinkhronizatsiya s
Bankom – “Synchronization with bank”]

If the Trojan finds such windows, it searches the folder containing the program which belongs to these windows for the following files:

prv_key.pfx

sign.cer

*.jks

*.db3

*.key

*.cnf

It packs them in an archive:

%Temp%\interpro.cab

The program also harvest data from the clipboard when it is copied to a window and intercepts data entered via the keyboard.

The Trojan intercepts HTTP requests from the addresses shown below:

https://ibank*.ru/*

https://bc.nsk.*.ru/*

https://www.faktura.ru/enter.jsp?site=

The Trojan extracts all web form field values from harvested data by using the masks shown below

*<select

*<option  selected

*<input *value="

from the web page code.
It sends harvest data to the remote malicious user’s site:

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

  1. Use Task Manager to terminate the malicious program’s process.
  2. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
  3. Modify the following system registry key value to the one shown below: 
    [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 
    
"userinit" = "C:\WINDOWS\system32\userinit.exe, "
  4. Reboot the computer.
  5. Delete the following file: 
    %System%\twex.exe
  6. Empty the temporary directory (%Temp%).
  7. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
 

Copyright © 1996 - 2010
Kaspersky Lab
Industry-leading Antivirus Software
All rights reserved
 

Email: webmaster@viruslist.com