Trojan.Win32.Zbot.dkek

by alexander.adamov on May 17th, 2012 in Malware Descriptions.

Platform: Win32
Type: Trojan
Size: 20480 bytes
Language: C++
MD5: 0523A92D668A8C33C7EF92536745E066
SHA1: 49244ADBB69F7BE1800A703A8B6959A4E72CFEEA

Summary

Trojan.Win32.Zbot.dkek is a malicious program that is a Windows dynamic library and is a component of another malicious program. The library can be used to inject the code of another malicious library to the web browser process address space as well as create autorun registry keys.

Technical Details

Installation

Once the library malicious code is launched in the target process address space, the library body is copied to the current user's Windows temporary folder with a randomly generated name:

%Temp%\<rnd>.tmp

where <rnd> is a random two-digit hexadecimal number.

2 bytes are then modified in that copy:

The code of the created copy of the dynamic library (DLL) is launched for execution.

Payload

Once launched, the code of the malicious library performs the following actions:

  • creates a unique identifier with the following name to control the uniqueness of its process in the system:

systemsmssrvc

  • starts a separate thread, and then in an infinite loop with 3 second interval injects the library code

C:\DOKUME~1\PC\LOKALE~1\Temp\25.tmp

to the address space of the following web browsers Internet Explorer, Mozilla Firefox and Google Chrome:

iexplore.exe
firefox.exe
chrome.exe

  • possesses features to create the autorun registry key in the branches:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]

Names and values of the registry keys are read from the malware data segment.

Removal Recommendations

  1. Using Task Manager (How to End a Process with the Task Manager) terminate the following processes:
  2. iexplore.exe
    firefox.exe
    chrome.exe

  3. Delete files:
  4. %Temp%\<rnd>.tmp
    C:\DOKUME~1\PC\LOKALE~1\Temp\25.tmp

  5. Delete the original Trojan file (its file name and location depends on the way the Trojan originally penetrated a user’s computer).
  6. Delete the registry keys created by the Trojan in the following branches (How to Work with System Registry):
  7. [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]

  8. Run a full scan of your computer using the Antivirus program with the updated definition database (Download Ad-Aware Free).