TROJ_ZBOT.OP

This spyware arrives on a system as a file dropped by other malware or as a downloaded file from a remote site.

Upon execution, this spyware drops a copy of itself in the Windows system folder and appends garbage code to the dropped copy to avoid easy detection.

It creates a folder with its attributes set to System and Hidden to prevent users from discovering and removing its components. The said folder contains non-malicious files.

A .BIN file is downloaded from a remote site. For its autostart technique, it modifies a registry key and entry.

This spyware downloads an encrypted configuration file. Once decrypted, the downloaded configuration file contains financial-related Web sites which this spyware monitors. Note that the contents of the file, hence the list of Web sites to monitor, may change any time.

This spyware also creates a remote thread to inject itself into the legitimate process to stay memory resident. This routine enables this spyware to run even when the system is in safe mode.

This spyware attempts to steal sensitive online banking information. When a user attempts to access any of the monitored sites in the configuration file, it captures user input (specifically those entered in the input boxes designed for user names and passwords).

This routine risks the exposure of the user's account information, which may then lead to the unauthorized use of the stolen data.

Stolen information is stored in the affected system. The gathered information is then sent via HTTP POST.

Related Items