The j.jar file contains the Uutecwv.class file which exploits the vulnerability in java using getSoundBank function (CVE-2009-3867
2. Flash Player Exploits on different versions.
Information regarding the vulnerabilities can be found in these links:
3. Adobe PDF Exploits
It uses iframe tag to load the file img.php
img.php file is the crafted PDF file
It also uses the vulnerability in Collab.getIcon function (CVE-2009-0927
). Additionally, it exploits a buffer overflow by creating a specially crafted pdf that contains malformed Collab.collectEmailInfo() (CVE-2007-5659
5. Internet Explorer Exploit
Use-after-free vulnerability in the Peer Objects component (aka iepeers.dll) in Microsoft Internet Explorer (CVE-2010-0806
6. The Microsoft Office Web Components Spreadsheet ActiveX control (aka OWC10 or OWC11) vulnerability (CVE-2009-1136
These vulnerability exploits allow the execution of malicious arbitrary codes that download and execute the Zeus malware on the unsuspecting user’s machine.
Upon installation of the Zeus malware on the user’s machine, it drops a copy of itself in windows system folder with the filename sdra64.exe, it then sets the file time to that of the file %SystemFolder%ntdll.dll. It also set the file attributes as hidden, system file, read only and archive.
It also creates the folder lowsec in windows system folder with the hidden attribute to create the following files:
These files are the configuration file and the log file where Zeus malware uses to gather and steals information.
This Zeus bot malware also have an autostart technique by attempting to add the string %SystemFolder%sdra64.exe, in the below registry entry:
Userinit = %Original value%
Userinit = “c:WindowsSystem32userinit.exe, c:WindowsSystem32sdra64.exe,”
Furthermore, once this Zeus bot failed to modify the above mentioned registry entry, it will create the below autostart registry entry:
userinit = “%SystemFolder%sdra64.exe”
This Zeus bot malware disable Windows Firewall
by creating the following registry entry:
EnableFirewall = dword:00000000
Also creates the following registry entry:
UID = “%ComputerName%_%HexNumber%”
This Zeus/Zbot malware also attempts to gather information about the below FTP applications to steal ftp servers and the desired username and password if available.
• Total Commander
This Zeus bot malware inject its code in certain processes.
One of the process it inject its code is the windows winlogon.exe process.
The injected Zeus code in the winlogon.exe is also capable of injecting another code in windows svchost.exe which is capable of downloading the configuration file of this malware.
The injected code in svchost.exe consists of decryption of the URL where it downloads the configuration file, and the decryption routine of the downloaded configuration file.
Basically, the configuration file contains the following:
• URLs of updated copy of itself
• URLs for another Configuration file
• Html Script codes which the Zeus bot used to fake the login to the bank sites
• Bank sites where this bot monitors for information theft
• Non Bank sites where the Zeus bot also monitors for account information theft
This Zeus bot malware is detected by PC Tools as Trojan-Spy.Zbot.YETH
PC Tools strongly advice to make sure that your signature are up-to-date by using Smart Updates to ensure you are protected by current and upcoming web threats.
~Jonathan N. San Jose
Malware Research Analyst