I ventilated the topic of malware such as rootkits, trojans and viruses in my earlier articles. In my opinion it’s making people think that we live in the world of serious diseases. Nevertheless, get ready for another danger that is hunting for new victims, Trojan-Spy.Win32.Zbot.ikh! Being one of the latest banking trojans, Zbot attempts to disable firewall, steal sensitive financial data like credit card numbers as well as online banking login details. Also, it makes screen snapshots, downloads additional components and apart from that gives a hacker remote access to a compromised system.
This threat installs itself in the following way; the trojan copies its executable file to the Windows system directory:
To guarantee the automatic launch of the Trojan when the system is rebooted, the trojan includes a link to its executable file in the system registry:
“userinit” = “C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twex.exe,”
The Trojan uses these hooks, which contribute to tracking the activity of the WebMoney Keeper application. When the program is used to authorise the user on a payment site, the Trojan gathers the following information:
|Purse number (WMID);|
|Mode (standard/e-num storage)|
|WebMoney Keeper version;|
|User’s current balance|
The Trojan then searches the system for windows of the following classes:
which include the headings that are given below:
[Vkhod v sistemy - "Enter system"]
Bankom - "Synchronization with bank"]
And if the Trojan happens to detect such windows, it searches the folder for the following files:
It packs them in an archive:
The program also collects data from the clipboard when it is copied to a window and intercepts data which is entered via the keyboard.
The Trojan intercepts HTTP requests from the addresses that are stated below:
The Trojan extracts all web form field values from harvested data by using masks from the web page code.
When it comes to Trojans, prevention is of great importance. So be absolutely sure that your machine has an up-to-date antivirus.