Our team of researches surfs the Internet on an everyday basis in search of the latest registry news and relevant information useful to visitors. This site strives to provide exciting registry information with two basic principles; Simplicity and Quality, with reference to the best information on registries.
The writers of the site present articles illustrated with images, while ensuring that the articles are both clear and concise in order to provide professional, yet easy to understand articles. Registry products and problems are analyzed and evaluated so as to present visitors with professional and factual articles. More...
Feb
18th

Zbot: Don’t become a Victim of this Toxic Trojan

Author: Indre | Files under Fix slow PC

I ventilated the topic of malware such as rootkits, trojans and viruses in my earlier articles. In my opinion it’s makingComputerVirus.jpg people think that we live in the world of serious diseases. Nevertheless, get ready for another danger that is hunting for new victims, Trojan-Spy.Win32.Zbot.ikh! Being one of the latest banking trojans, Zbot attempts to disable firewall, steal sensitive financial data like credit card numbers as well as online banking login details. Also, it makes screen snapshots, downloads additional components and apart from that gives a hacker remote access to a compromised system.

This threat installs itself in the following way; the trojan copies its executable file to the Windows system directory:

%System%\twex.exe

To guarantee the automatic launch of the Trojan when the system is rebooted, the trojan includes a link to its executable file in the system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

“userinit” = “C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twex.exe,”

The Trojan uses these hooks, which contribute to tracking the activity of the WebMoney Keeper application. When the program is used to authorise the user on a payment site, the Trojan gathers the following information:

Purse number (WMID);
Password;
Mode (standard/e-num storage)
WebMoney Keeper version;
User’s current balance

The Trojan then searches the system for windows of the following classes:

SunAwtDialog
javax.swing.Jframe

which include the headings that are given below:

[Vkhod v sistemy - "Enter system"]

[Sinkhronizatsiya s
Bankom - "Synchronization with bank"]

And if the Trojan happens to detect such windows, it searches the folder for the following files:

prv_key.pfx
sign.cer
*.jks
*.db3
*.key
*.cnf

virussmopt.jpg

It packs them in an archive:

%Temp%\interpro.cab

The program also collects data from the clipboard when it is copied to a window and intercepts data which is entered via the keyboard.

The Trojan intercepts HTTP requests from the addresses that are stated below:

https://ibank*.ru/*
https://bc.nsk.*.ru/*
https://www.faktura.ru/enter.jsp?site=

The Trojan extracts all web form field values from harvested data by using masks from the web page code.

When it comes to Trojans, prevention is of great importance. So be absolutely sure that your machine has an up-to-date antivirus.

Resources:
A banking Trojan
Description of the Trojan-Spy.Win32.Zbot.ikh

Post a Comment

Security Code: