Trojan-Spy.Win32.Zbot.ikh

Technical Details

This Trojan is designed to steal confidential data. It is a Windows PE EXE file. It is 67072 bytes in size.

Installation

The Trojan copies its executable file to the Windows system directory:

%System%\twex.exe

In order to ensure that the Trojan is launched automatically when the system is rebooted, the Trojan adds a link to its executable file in the system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"userinit" = "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twex.exe,"

Payload

The Trojan injects its code into all processes running on the victim machine and installs hooks for the API functions shown below:

NtCreateFile

NtQueryDirectoryInformation

LdrLoadDll

LdrGetProcedureAddress

NtCreateThread

EndDialog

DestroyWindow

TranslateMessage

GetClipboardData

The Trojan uses these hooks to track the activity of the WebMoney Keeper application. When the program is used to authorize the user on the payment site, the Trojan harvests the following information:

• Purse number (WMID);
• Password;
• Mode (standard/e-num storage)
• WebMoney Keeper version;
• User’s current balance

The Trojan also searches the system for windows of the following classes:

SunAwtDialog

javax.swing.Jframe

which have the headings shown below:

Âõîä â ñèñòåìó [Vkhod v sistemy – “Enter system”] 

Ñèíõðîíèçàöèÿ ñ Áàíêîì [Sinkhronizatsiya s Bankom – “Synchronization with bank”]

If the Trojan finds such windows, it searches the folder containing the program which belongs to these windows for the following files:

prv_key.pfx

sign.cer

*.jks

*.db3

*.key

*.cnf

It packs them in an archive:

%Temp%\interpro.cab

The program also harvest data from the clipboard when it is copied to a window and intercepts data entered via the keyboard.

The Trojan intercepts HTTP requests from the addresses shown below:

https://ibank*.ru/*

https://bc.nsk.*.ru/*

https://www.faktura.ru/enter.jsp?site=

The Trojan extracts all web form field values from harvested data by using the masks shown below

*<select

*<option  selected

*<input *value="

from the web page code.
It sends harvest data to the remote malicious user’s site:

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Use Task Manager to terminate the malicious program’s process.
2. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
3. Modify the following system registry key value to the one shown below:

   [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 
   
   "userinit" = "C:\WINDOWS\system32\userinit.exe, "

4. Reboot the computer.
5. Delete the following file:

   %System%\twex.exe

6. Empty the temporary directory (%Temp%).
7. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).