Trojan.Win32.Jorik.Zbot.azk

by Atlantis on May 21st, 2012 in Malware Descriptions.

Platform: Win32
Type: Backdoor
Size: 212992 bytes
Language: C++
MD5: C46566045F4E77F366299479746DC0EA
SHA1: 97F5F2637289E7537461E64D96D13BF359542FB1

Summary

Trojan.Win32.Jorik.Zbot.azk is a malicious program which provides the attacker with unauthorized remote access to the infected machine.

Technical Details

Installation

Once launched, the malware gets language identifiers which correspond to the language for which the current system locale is set. If the following languages are available in the language group:

Russian (ru)

Ukrainian (uk)

the malware finishes its work with no destructive activities.

Otherwise, the malware copies itself into the following directory:

%APPDATA%\Kali\sunu.exe

To automatically run itself each time Windows is booted, the following registry key is added:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Xeukovho" = "%APPDATA%\Kali\sunu.exe"

The malware prevents modifying the added key: it endlessly creates the key at short-time intervals.

The malware hides the created copy by intercepting the following function:

NtQueryDirectoryFile

The malware then launches the "explorer.exe" process and injects the executable code into its address space.

Payload

Once launched, the malware performs the following actions:

  • creates a unique identifier with the following name to control the uniqueness of its process on the infected system:

Local\{CC75F62E-045070-095C-B264-E07517E00CFA}

  • stores its current configuration settings in the following registry key:

[HKCU\Software\Microsoft\Xuqy]
"Kybou"

as well as in the following file:

%APPDATA%\Kibu\upgo.ykf

  • changes Internet Explorer security zone settings by modifying the following registry keys:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"1609" = "0" 

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1406" = "0"
"1609" = "0" 

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
"1609" = "0" 

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1406" = "0"
"1609" = "0" 

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
"1406" = "0"
"1609" = "0"

  • disables an option to delete cookies in Internet Explorer by modifying the following registry key:

[HKCU\Software\Microsoft\Internet Explorer\Privacy]
"CleanCookies" = "0"

  • downloads a configuration file from the intruder server using one of the following URLs:

http://uplvl***greserv.com/strongest/encryption/lvl.php|file=ups.bin
http://uplvs***ine.com/ssl/strong/encryption/lvl.php|file=up.bin
http://upl***rereserv.info/strongest/encryption/lvl.php|file=up.bin

  • Depending on the content of the downloaded configuration file, the malware can perform the following actions on the infected computer:

- refresh its original file by downloading updates from the intruder server;

- block antivirus software from running;

- download other files to the infected computer;

- read network traffic to steal user confidential information;

- redirect user to the internet resources of the attacker's choice;

- insert external scripts to the HTML pages downloaded by user;

- collect information about infected system;

- keep track of keyboard events;

- sent collected information to the intruder server.

Removal Recommendations

  1. Restart the computer in safe mode (press and hold the F8 key as the computer restarts, and then select “Safe Mode” on the boot menu)
  2. Delete files:
  3. %APPDATA%\Kali\sunu.exe

    %APPDATA%\Kibu\upgo.ykf

  4. Delete the registry keys (How to Work with System Registry):

  5. [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Xeukovho" = "%APPDATA%\Kali\sunu.exe" 

    [HKCU\Software\Microsoft\Xuqy]
    "Kybou"

  6. Restore registry key values modified by the malware (How to Work with System Registry):

  7. [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
    "1609" 

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
    "1406"
    "1609" 

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
    "1609" 

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
    "1406"
    "1609" 

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
    "1406"
    "1609" 

    [HKCU\Software\Microsoft\Internet Explorer\Privacy]
    "CleanCookies"

  8. Delete the original Trojan file (its file name and location depends on the way the Trojan originally penetrated a user’s computer).
  9. Clean the Temporary Internet Files folder, which contains infected files (How to clean Temporary Internet Files folder).
  10. Run a full scan of your computer using the Antivirus program with the updated definition database (Download Ad-Aware Free).