New ZBot Variant (Feb 12, 2009)


SonicWALL UTM Research Team observed a new ZBot variant being distributed in the wild via drive-by download sites.

This ZBot variant was first seen in the wild on December 31, 2008 via following malicious site:

  • (This domain is down now)

The malware when executed performs following tasks:

  • It runs in background and allows remote access to the compromised system.
  • It creates following files and directory:
    • C:WINDOWSsystem32twain32
    • C:WINDOWSsystem32twain32local.ds
    • C:WINDOWSsystem32twain32user.ds
    • C:WINDOWSsystem32twain32user.ds.lll
    • C:WINDOWSsystem32twex.exe
  • It creates and modifies following registry keys:
    • HKU.DEFAULTSoftwareMicrosoftWindowsCurrentVersionExplorer{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
    • HKU.DEFAULTSoftwareMicrosoftProtected Storage System Provider
    • HKU.DEFAULTSoftwareMicrosoftProtected Storage System ProviderS-1-5-18
    • HKUS-1-5-19SoftwareMicrosoftProtected Storage System Provider
    • HKUS-1-5-19SoftwareMicrosoftProtected Storage System ProviderS-1-5-19
    • HKUS-1-5-18SoftwareMicrosoftWindowsCurrentVersionExplorer{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
    • HKUS-1-5-18SoftwareMicrosoftProtected Storage System Provider
    • HKUS-1-5-18SoftwareMicrosoftProtected Storage System ProviderS-1-5-18
    • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit: “C:WINDOWSsystem32userinit.exe,C:WINDOWSsystem32twex.exe,” (Ensures that it runs every time windows restart)
  • It attempts to disable any Internet proxy settings and Windows Firewall. It also attempts to acquire privileges to monitors the list of running processes.
  • It tries to resolve domain and sends following HTTP request: GET /awstats/admin/conf.sts

This ZBot variant is also known as Trojan-Spy.Win32.Zbot.ipx (Kaspersky), Win32/Spy.Zbot.DH (ESET), and Generic PWS.y (McAfee). SonicWALL Gateway Antivirus detects this ZBot variant as GAV: ZBot.IPX (Trojan)

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.