Spyware.Zbot.351744
種類
Spyware
危険度/拡散度
/
発見日
[korea] 2009-03-02 [Foreign] 2009-03-01
Virobot対応
2009-03-02 [Able to detect & repair]
[Summary] [Spyware.Zbot.351744] modifies the security settings of infected system and includes Keylogger that records user's all keyboard inputting. (User name, ID, Password, Card number, etc.) [Spyware.Zbot.351744] is injected to Winlogon.exe by handle type without sharing authority, so that is cannot check the file existence by windows explorer. [PIC 1]Malicious codes files without sharing authority [PIC 2]Check hidden files and folders by GMER Also, it changes user system's firewall status to [Do not use] like [PIC 3], thus the malicious codes do not get any interruptions for acting. [PIC 3]Modified firewall settings

[Detailed Information] *Related malicious codes* Spyware.Zbot.Dr.62976 *Related URLs* http://193.***.***.55/hhttpp/freez.bin http://193.***.***.55/hhttpp/s.php *File* [Spyware.Zbot.351744] creates files like below. (System Folder)\lowsec\local.ds (System Folder)\lowsec\user.ds (System Folder)\lowsec\user.ds.lll (System Folder)\sdra64.exe *Folder* [Spyware.Zbot.351744] creates folders like below. (System Folder)\sdra64.exe *Registry* [Spyware.Zbot.351744] creates registries like below. HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile Name: EnableFirewall Value: 0x00000000 [Spyware.Zbot.351744] modifies registries like below. [Before] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: Userinit Value: C:\WINDOWS\system32\userinit.exe, [After] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: Userinit Value: C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe, *Notation* - "(All Users Account Folder)" is could be different by user configurations, and generally this is "C:\Documents and Settings\(All Users Account)". - "(Desktop Folder)" could be different by OS and generally this is "C:\Documents and Settings\(User Account)\Desktop". - "(Quick Launch folder)" could be different by OS and generally this is "C:\Documents and Settings\(User Account)\Application Data\Microsoft\Internet Explorer\Quick Launch" - "(Temporary Folder)" could be different by OS and generally this is "C:\Documents and Settings\(User Account)\Local Settings\Temp". - "(Programs Folder)" could be different by OS and generally this is "C:\Program Files". - "(Windows Folder)" could be different by OS and generally this is "C:\Windows (Windows 95/98/Me/XP), C:\Winnt (Windows NT/2000)". - "(System Folder)" could be different by OS and generally this is "C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), C:\Windows\System32 (Windows XP)".
[How to repair] 1. If you are WinXP/ME users, please be inactivate System Recovery Function. The reason why being inactivate of the system recovery is to clean the virus completely. You can refer to MS technical documents(Q263455) for more details. 2. Update the engine module for the latest one. To repair this virus, you need to update the engine for the latest one. a. ViRobot products users -Download the latest engine files via our website (www.hauri.net) b. Non-ViRobot products users - Use the LiveCall (Free Scan) via the website (http://www.livecall.co.kr) - Use the trial version of ViRobot products (30days only) 3. How to scan the virus. a. Run your ViRobot, and choose all files in scan option. - ViRobot Desktop 5.x : [Tools] -> [Configuration] -> [Spyware/Adware Scan] : Check all files - LiveCall (Free Scan) : [Advanced Scan] : Check b. Repair all viruses detected.