Analysis Content: Trojan-Spy.Win32.Zbot – Analysis of Malware
Released: 16.11.2008
Author of Analysis: Robert
Contact: robert@novirusthanks.org
Website: http://novirusthanks.org

My friend Steve sent to me some days ago a Trojan-Spy.Win32.Zbot sample and below there is the analysis:

The file I received was named live.exe

and below there is the report of the scan of the file:

Report Generated 17.11.2008 at 12.25.44 (GMT 1)
Time for scan: 23 seconds
Filename: live.exe
File size: 67 KB
MD5 Hash: A785276189E5387AF4C13536CFC76E65
SHA1 Hash: 31E1392EB9793EEDBA74038FBC0AF31382F91B73
CRC32: 2777692707
Application Type: Executable (EXE) 32bit
Packer detected: Nothing found *
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
ASCII Strings: View
Detection Rate: 18 on 23

Antivirus Result
a-squared Trojan-Spy.Win32.Zbot.gbr!IK
Avira AntiVir TR/Spy.ZBot.Dro.2
Avast Win32:Downloader-CAT [Trj] (0)
AVG Trojan horse Pakes.ALW
BitDefender Trojan.Spy.Wsnpoem.LE
ClamAV Trojan.Invo-4
Comodo Nothing found!
Dr.Web Trojan.PWS.Panda.31
Ewido Nothing found!
F-PROT 6 Nothing found!
G DATA Trojan-Spy.Win32.Zbot.gbr A
IkarusT3 Trojan-Spy.Win32.Zbot.gbr
Kaspersky Trojan-Spy.Win32.Zbot.gbr
McAfee Spy-Agent.bw trojan
NOD32 v3 Win32/Spy.Agent.NKC trojan
Norman Trojan W32/Banker.DWVI ()
Panda Nothing found!
QuickHeal TrojanSpy.Zbot.gbr
Solo Antivirus Infection Trojan.Spy.Win32.Zbot.Gbr
Sophos Mal/EncPk-CZ
TrendMicro Nothing found!
VBA32 Trojan-Spy.Win32.Zbot.gbr
VirusBuster TrojanSpy.ZBot.Gen!Pac.5

PE Import Tables:

kernel32.dll
+OpenFileMappingA
+DeleteFileA
+DeleteFileW
+GetLastError
+ExitThread
+DeleteAtom
+GetCPInfo
+GetComputerNameA
+GetFileSize
+GetStdHandle
+ReadFile
+GlobalFree
+WriteFile
+GetCommandLineA
+CreateProcessA
+Sleep
+GetConsoleMode
+CreateThread
+FindAtomA
kernel32.dll
+ExitThread
+GlobalFree
+CopyFileExW
+CopyFileW
+GetFileSize
+ReadFile
+GetFileTime
+DeleteFileW
+FindFirstFileA
+GetCommandLineA
+GetStdHandle
+CreateDirectoryA
+OpenFile
+SetLastError
+DeleteAtom
+GetConsoleMode
user32.dll
+IsMenu
+InsertMenuA
+DrawTextW
+GetWindowTextLengthA
+AppendMenuW
+DialogBoxParamW
+GetFocus
+GetWindowTextA
+GetDlgItem
+GetCursor
+CopyIcon
+EndDialog
+CalcMenuBar
+CreateIcon
+BlockInput
+GetMenu
+GetDC
+DrawIconEx
+CloseWindow
+AlignRects
+IsWindow
+DialogBoxParamA
+LoadCursorA
+CopyImage
user32.dll
+CreateIcon
+GetFocus
+BlockInput
+InsertMenuA
+EndDialog
+DrawTextA
+AlignRects
+GetWindowTextLengthA
+IsWindow
+CloseWindow
+CopyImage
+GetDlgItem
+AppendMenuW
+LoadCursorA
+LoadMenuA
+DrawIcon
+CopyIcon
+GetDC
+GetMenu
+DrawIconEx
+GetCursor
+DialogBoxParamW
+CopyRect
kernel32.dll
+GetConsoleMode
+GetCPInfo
+ExitThread
+GetComputerNameA
+GetStdHandle
+ReadFile
+CreateProcessA
+CreateThread
+SetLastError
+CreateDirectoryA
+DeleteAtom
+WriteFile
+Sleep
+CopyFileW
+GetFileSize
+GetFileTime
+CopyFileExW
comctl32.dll
+ImageList_DragLeave
+ImageList_GetIcon
comctl32.dll
+ImageList_Copy
comctl32.dll
+ImageList_Merge
advapi32.dll
+RegCreateKeyW

When I started this .EXE some files was copyed in C:\WINDOWS\system32\ and below there is the list:

C:\WINDOWS\system32\twext.exe
C:\WINDOWS\system32\twain_32
C:\WINDOWS\system32\twain_32\local.ds
C:\WINDOWS\system32\twain_32\user.ds
C:\Documents and Settings\NetworkService\Application Data\twain_32
C:\Documents and Settings\NetworkService\Application Data\twain_32\user.ds
C:\Documents and Settings\LocalService\Application Data\twain_32
C:\Documents and Settings\LocalService\Application Data\twain_32\user.ds

Below there is the report of the scan of the file twext.exe:

Report Generated 17.11.2008 at 12.47.07 (GMT 1)
Time for scan: 23 seconds
Filename: twext.exe
File size: 244 KB
MD5 Hash: 1C6A2494488D455757B8B69CF499C6A0
SHA1 Hash: 27CFCD52F3AADC153976AFB12AFDB7AEC1CFF043
CRC32: 288333931
Application Type: Executable (EXE) 32bit
Packer detected: Nothing found [Overlay] *
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
ASCII Strings: View
Detection Rate: 16 on 23

Antivirus Result
a-squared Trojan-Spy.Win32.Zbot.gbr!IK
Avira AntiVir TR/Spy.ZBot.Dro.2
Avast Win32:Downloader-CAT [Trj] (0)
AVG Trojan horse Pakes.ALW
BitDefender Trojan.Spy.Wsnpoem.LE
ClamAV Trojan.Invo-4
Comodo Nothing found!
Dr.Web Trojan.PWS.Panda.31
Ewido Nothing found!
F-PROT 6 W32/Trojan3.HR (exact)
G DATA Trojan-Spy.Win32.Zbot.gbr A
IkarusT3 Trojan-Spy.Win32.Zbot.gbr
Kaspersky Trojan-Spy.Win32.Zbot.gbr
McAfee Nothing found!
NOD32 v3 Win32/Spy.Agent.NKC trojan
Norman Trojan W32/Banker.DWVI ()
Panda Nothing found!
QuickHeal TrojanSpy.Zbot.gbr
Solo Antivirus Nothing found!
Sophos Mal/EncPk-CZ
TrendMicro Nothing found!
VBA32 Trojan-Spy.Win32.Zbot.gbr
VirusBuster Nothing found!

The files located in C:\WINDOWS\system32\ were Hidden from Explorer search as shown in image below:

Below there is an image of the encrypted content of the file user.ds:

The file C:\WINDOWS\system32\twext.exe was injected in the process winlogon.exe and started to send traffic to this host:

==================================================
Index : 4
Protocol : TCP
Local Address : 192.168.1.4
Remote Address : 91.203.93.29
Local Port : 1039
Remote Port : 80
Local Host :
Remote Host :
Service Name : http
Packets : 10
Data Size : 828 Bytes
Total Size : 1.403 Bytes
Capture Time : 17/11/2008 12.21.31:078
==================================================

GET /fidel/conf.bin HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: ddtfff.ru
Pragma: no-cache

HTTP/1.1 404 Not Found
Date: Mon, 17 Nov 2008 18:53:05 GMT
Server: Apache/2
Content-Length: 392
Connection: close
Content-Type: text/html; charset=iso-8859-1

But unfortunately the file GET /fidel/conf.bin HTTP/1.0 that the malware try to download every X number of time

does not exist anymore and i cannot analyze it.

Below there is a small summary of this malware activity: