About:
W32/Zbot-IP is part of the Zbot family of data-stealing malware. The ZBot family, also known as Zeus, steals information including banking details, credentials for social networking sites, email/FTP accounts and web form contents.
ZBot malware may arrive through spam emails, either as an attachment to the email message or linked. This particular variant, W32/ZBot-IP, arrived via spam emails of forged IRS messages.
When run, W32/Zbot-IP copies itself to:
<SYSTEM>\sdra64.exe
—However, the malware uses rootkit techniques to hide this file from view.
The following data files may also appear on an infected system:
<SYSTEM>\lowsec\local.ds
<SYSTEM>\lowsec\user.ds
These are data files used by the malware to store stolen data. Unlike the malware binary, these files are not hidden via rootkit techniques.
W32/Zbot-IP appends its path to the following registry entry to run on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
<ORIGINAL_VALUE>, <SYSTEM>\sdra64.exe
W32/Zbot-IP contacts the IP address 195.93.208.106 to download configuration data using HTTP GET requests. The malware also periodically sends the stolen data via HTTP POST to the same IP address. These requests are made approximately every 3 minutes.
The initial installation of W32/ZBot-IP triggers the Sophos runtime protection rule HIPS/FileMod-001.
The Zeus Tracker project monitors ZBot/Zeus command & control servers, and provides an IP blocklist for well-known Zeus hosts. You can find out more about this project at its official homepage.
The Zeus Tracker reports another ZBot binary is hosted on the same IP as contacted by W32/ZBot-IP. Sophos detects this binary as Mal/Generic-A.
Users scanning the file sdra64.exe with Sophos Anti-Virus default settings may log an access error due to the rootkit techniques employed by the malware. Should you get this error, please scan your system using the Sophos Anti-Rootkit to detect and remove the threat.