Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Spy.Zbot.QT.Gen

Aliases:Packed.Win32.Krap.ae (Kaspersky), PWS-Zbot.gen.be (McAfee), Trojan.Zbot (Symantec) 
Type of infiltration:Trojan  
Size:Variable  
Affected platforms:Microsoft Windows 
Signature database version:5124 (20100518) 

Short description

Win32/Spy.Zbot.QT.Gen is a trojan that steals passwords and other sensitive information. The trojan serves as a backdoor. It can be controlled remotely.

Installation

When executed, the trojan copies itself into the following location:
  • %appdata%%variable1%%variable2%.exe
The trojan may create the following files:
  • %appdata%%variable3%%variable4%.tmp
  • %appdata%%variable3%%variable4%.%variable5%
In order to be executed on every system start, the trojan sets the following Registry entry:
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    Run]
    "%variable6%" = "%appdata%%variable1%%variable2%.exe"
The following Registry entries are created:
  • [HKEY_CURRENT_USERSoftwareMicrosoft%variable4%]
    "%variable7%" = %configurationdata%
A string with variable content is used instead of %variable1-7%, %configurationdata%.

Information stealing

The trojan collects sensitive information when the user browses certain web sites.

The trojan collects information related to the following applications:
  • CoreFTP
  • Far Manager
  • Far Manager 2
  • Filezilla
  • FlashFXP
  • FTP Commander
  • CoreFTP
  • Far Manager
  • Far Manager 2
  • Filezilla
  • FlashFXP
  • FTP Commander
  • IPSwitch
  • SmartFTP
  • Total Commander
  • WinSCP
  • WS_FTP
The trojan collects the following information:
  • digital certificates
  • cookies
  • passwords
  • Windows Protected Storage passwords and credentials
The trojan can send the information to a remote machine.

Other information

The trojan hooks the following Windows APIs:
  • PFXImportCertStore (crypt32.dll)
  • GetFileAttributesExW (kernel32.dll)
  • PR_Close (nspr4.dll)
  • PR_OpenTCPSocket (nspr4.dll)
  • PR_Read (nspr4.dll)
  • PR_Write (nspr4.dll)
  • PFXImportCertStore (crypt32.dll)
  • GetFileAttributesExW (kernel32.dll)
  • PR_Close (nspr4.dll)
  • PR_OpenTCPSocket (nspr4.dll)
  • PR_Read (nspr4.dll)
  • PR_Write (nspr4.dll)
  • LdrLoadDll (ntdll.dll)
  • NtCreateThread (ntdll.dll)
  • NtCreateUserProcess (ntdll.dll)
  • GetClipboardData (user32.dll)
  • TranslateMessage (user32.dll)
  • HttpQueryInfoA (wininet.dll)
  • HttpSendRequestA (wininet.dll)
  • HttpSendRequestW (wininet.dll)
  • HttpSendRequestExA (wininet.dll)
  • HttpSendRequestExW (wininet.dll)
  • InternetCloseHandle (wininet.dll)
  • InternetReadFile (wininet.dll)
  • InternetReadFileExA (wininet.dll)
  • InternetQueryDataAvailable (wininet.dll)
  • closesocket (ws2_32.dll)
  • send (ws2_32.dll)
  • WSASend (ws2_32.dll)
The trojan receives data and instructions for further action from the Internet or another remote computer within its own network (botnet). The trojan contains an URL address. The HTTP protocol is used.

It can execute the following operations:
  • monitor network traffic
  • steal information from the Windows clipboard
  • remove itself from the infected computer
  • shut down/restart the computer
  • capture screenshots
  • set up a proxy server
  • monitor network traffic
  • steal information from the Windows clipboard
  • remove itself from the infected computer
  • shut down/restart the computer
  • capture screenshots
  • set up a proxy server
  • log keystrokes
  • run executable files
  • download files from a remote computer and/or the Internet
  • block access to specific websites