Zbot Virus --- on Microsoft Windows

ALERT! --- 2009 Mar

alias, the "Spyware Protect 2009" virus

(2009 Mar 17 blog post)

!Preliminary! A little more information, and more links, may be added later.

Home page > Blog menu > This page on the Zbot computer virus (2009)

This is an open letter to Microsoft --- and the U.S. Congress and Executive and Judicial departments.

It's ridiculous that, after years of talk by Microsoft that they are improving the security of their operating systems, it is still a common occurence that a computer-fraudster from half-way around the world can intall programs and registry entries onto the typical Microsoft Home operating system setup --- while at the same time Microsoft makes it ultra-hard for the owner of the computer, sitting at the computer, to remove (or at least de-activate) those installed programs.

People need to bring lawsuits against Microsoft for making it so easy for remote computer-criminals to install programs on Microsoft Home computers --- nasty programs that make the computer essentially useless until user-data is backed up and the operating system is re-installed, and user data and programs re-installed.

The mail threads at on-line computer forums indicate that 100's of thousands of man-hours are wasted each year in dealing with these infections.

And, further, there is the exposure to (and likelihood of) identity theft in most of those instances. See below.

Microsoft needs to be sued until they take some of the steps mentioned within this blog post (2009) and my previous infection blog post (2007) --- for a different, but similar, trojan-horse-style 'infection' of an older Microsoft operating system.

The 2007 blog post, along with this one, provides specific details on how Microsoft should be considered an 'accessory' in these kinds of crimes. Microsoft can do some things to drastically reduce these 'infections', but their responses are pathetically weak.

There are multiple improvements that Microsoft should be making to the Microsoft 'Home' operating system releases. They are dragging their feet --- apparently, for fear of losing customers if their security fixes remove some user-friendliness (ease-of-use), and for fear of causing an increase in calls for help, to Microsoft call centers.

The following text is based on the text that I sent to Kaperksy Labs at
http://support.kaspersky.com/faq/?qid=208280039
and
http://support.kaspersky.ru/helpdesk.html?LANG=en

after I read their description of this "trojan horse" virus.


Introduction to this particular 'infection' :

A variant of the Zbot virus infected my wife's computer [Windows XP Home] on 14Mar2009. After doing a web search on this particular infection, which was revealed by constant popups that advertised a "Spyware Protect 2009" product, I found the following quote on this particular 'trojan horse' infection.

"These programs are used by cyber-criminals to steal any bank information from computers." --- from http://support.kaspersky.com/faq/?qid=208280039

Some characteristics of this infection, beyond the irrepressible popups, are listed in a section below.

The site "threatexpert.com" shows about 14 reports between late Feb and mid March 2009 with characteristics of this type of virus --- the unremovable 'lowsec' directory (folder) inserted into the Windows 'system32' folder. Some 'threatexpert.com' report links :

  1. 2009 Mar 16
  2. 2009 Mar 14
  3. 2009 Mar 11
  4. 2009 Mar 10
  5. 2009 Mar 10
  6. 2009 Mar 08
  7. 2009 Mar 08
  8. 2009 Mar 07
  9. 2009 Mar 04
  10. 2009 Mar 04
  11. 2009 Mar 04
  12. 2009 Mar 01
  13. 2009 Feb 28
  14. 2009 Feb 27

And here is an Asian alert (at hauri.net).

This 'initial' list of incidents indicates that there is going to be a huge amount of identity theft (and thus bank-depositor theft) in the next several months.

    (Note that 'lowsec' apparently is an abbreviation for 'low security'. These computer crackers apparently did not feel a need to choose a more obtuse name.)

More features of this infection
(and some Microsoft failings revealed)

On my wife's machine, I see files 'lowsec\local.ds' and 'lowsec\user.ds' in the directory C:\windows\system32\ . BUT I can't remove them, even in so-called 'safe' bootup mode -- even with utilities like "unlocker", that some people have used in less-insidious infections. But "unlocker" shows why I can't remove the files --- the process 'winlogon.exe' is using the files.

Microsoft, for decades now, won't give us computer owners a way to remove files while they are in-use --- even though these files are inserted on owner machines by anti-social 3rd parties.

NOR does Microsoft give us a way to remove the 'hidden' executable files that re-create these files on bootup, since Microsoft protects all files in Microsoft system directories, even files put there by some '3rd party' criminal remotely accessing your computer.

    [There should be a 'force' option on the Microsoft file-delete command. AND, Microsoft should supply a utility that shows what process is 'locking' a file. I shouldn't have to use a third-party utility.]

Even in Microsoft's 'safe' bootup mode(s), 'winlogon.exe' runs and 'ties-up' the new inserted files. Hence I cannot delete these criminally-inserted files, nor any other file 'in use' by a process gone out of control.

The "unlocker" utility, which executes during boot-up, couldn't delete the criminal-files either. Apparently, "unlocker" does its work on bootup AFTER the 'winlogon.exe' process starts.

I could have a go at using a Linux 'Live CD' to remove the files. Microsoft gives us no way out of this mess, but Linux might.

Private Data out the 'back-door'

As part of this infection, there are probably 'back-door' programs that send data out onto the Internet. I should not connect the infected computer to the Internet until I have removed these programs.

    Unfortunately, when my wife first alerted me to the problem, I investigated for quite a while without disconnecting from the Internet. I heard a lot of disk drive activity. I should have pulled the network cord out of the back of the computer, first thing. I told my wife to check her credit card and bank statements extra carefully in coming months.

Unfortunately, these 'back-doors' have probably already sent out a lot of data --- AND the lame Microsoft firewall (circa 2000-2009) does not warn you of data being sent out, only of (some) incoming events. And now the Microsoft firewall is gone (de-activated, apparently by this virus), and there is no sense in getting a better firewall working, until I re-install a clean operating system and file structure.

What a LAME operating system!

    [I can see from the 'threatexpert.com' reports above that many registry entries have surely been compromised --- far more than the usual suspects, like the run-program-at-bootup entries. For example, Internet Explorer registry entries.

    HOW CAN MICROSOFT LET JUST ANYONE UPDATE THE REGISTRY? FROM THE OTHER SIDE OF THE WORLD? Microsoft's lip-service to security is a joke.]

Some Quirky Characteristics of this particular infection :

This virus was using 'iexplore.exe' (Internet Explorer) to play music, at random times, on this machine --- apparently streaming from across the internet. I pulled the ethernet cable, and the sound stopped within 10 secs. I finally renamed iexplore.exe to stop it from starting up.

Also, this virus infected the browser, whether using IE or Firefox, by redirecting 'clicks', randomly and frequently, to other sites. The web browser in use seemed to use a Google plugin, or counterfeit, in C:\Program Files\Google\GoogleToolbarNotifier\, to aid in this.

A unique thing about this infection was that it kept going to a web page promoting a phony product called "Spyware Protect 2009". And it kept going to other spyware web sites --- probably written and controlled by the same people.

It seems that the perpetrators might be trackable via these web sites --- or via the IP-addresses and domain names that their software seems to connect to, as reported in the 'threatexpert.com' reports.

Also, this infection removed the Windows Firewall and Antivirus software on next bootup. The shield icon no longer shows up on the lower right of the task bar.

Here (at forums.techguy.org) is a story of a guy whose wife got a phony popup asking for personal id info when she went to her usual bank web site, after a 'Spyware Protect 2009' infection.

A web search on "Spyware Protect 2009" reveals many computer forum dialogs of Windows 'gurus' trying to help people cleanup their computers to a usable state. Alas, as pointed out below, it will usually be necessary to re-install a clean (but still vulnerable) copy of the operating system.

Don't let anyone shame you into blaming yourself for not updating your antivirus software. Most of these victims had antivirus software. No doubt many had auto-updating turned on.

The anti-virus software did not catch the virus, and the software could not clean it up. The anti-virus writers cannot keep up with the variants of these viruses, as I pointed out in my previous infection blog post (2007).

    [The 2007 infection was on a Microsoft ME operating system. This 2009 infection was on a different computer, with a Microsoft XP operating system. Microsoft is not making headway in virus protection, from major release to major release.]

The proper solution is a better operating system. Microsoft is the real point of failure. In this posting, I mention several basic things Microsoft should do. Way late now. Thousands upon thousands have had their private data stolen.

Some lessons learned - from my experience, and
from the experiences of others :

I can't believe how Microsoft can claim to be concerned about security. Microsoft lets people on the other side of the world alter the files on our systems, but Microsoft is afraid to let us users have a way to remove these files --- to at least limit the immediate damage. Microsoft is more concerned about the computer owners corrupting the operating system (and inconveniencing Microsoft with problem reports), than about scammers corrupting the owners' machines. There are other operating systems that do not leave the system directories and system files 'wide open' to additions and overlays -- namely Linux and Apple Mac.

    [For god's sake, Microsoft does not even allow for setting file permissions in Windows XP Home so we can lock out the scammers. Like my son says to my wife, use a Mac, like he does. I am planning to go to Mandriva Linux. This incident convinces me to do it sooner rather than later.]

The only real way to get back to some semblance of normalcy is to backup user files and re-install a more secure operating system --- preferably an operating system on which file permissions can be set. I had to go through this copy-user-files-and-reinstall exercise a few years ago, on a Windows ME machine, as described in my 2007-infection blog post. It's a painful process. Requires man-days, not just a man-hour or two.

As mentioned above, there are many forums where Windows-virus gurus help users TRY to "clean" their operating systems. But they usually end like this bleepingcomputer.com forum thread, saying

    "I'm hoping that we don't have to [re-install the operating system]. However ... the infected files cannot be repaired. If system files are infected, then we have no choice."

And on this bleepingcomputer.com forum page, we see the concluding advice

    START-QUOTE
    One or more of the identified infections is a backdoor trojan.

    This allows hackers to remotely control your computer, steal critical system information and download and execute files.

    I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

    Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS [operating system].
    END-QUOTE

For those not willing to leave Microsoft Windows :

My wife is not a computer expert and is pretty resistant to trying anything that doesn't look/act almost exactly like the computer she uses at work. So I will have to re-install a Microsoft Windows operating system on her computer. Luckily, I still have the XP recovery disk that came with her computer. (I stored that disk in a special drawer, after I bought and set up the computer for her.)

It seems Windows XP Pro may be a partial answer to providing more file protection, because it allows setting permissions on files [although, by default, it will probably be 'wide open' --- running users in 'administrator' mode, by default]. But XP Pro (and Vista) probably has the same problems as XP Home --- such as not allowing the user to do a "forced delete" of files on his own system -- and probably has an 'inadequate' safe mode.

While we owners are discouraged by Microsoft, in multiple ways (like hiding system directories by default), from touching the system directories, files can be added and accessed by someone in Russia, China, Detroit, or where-ever, over the Internet. People should be suing Microsoft. These insecurities have gone on too long.

I considered trying the ZbotKiller [Kapersky Labs]. But I have no doubt that I will eventually have to wipe the drive (install a new OS).

I went through a similar trojan-horse removal exercise, described in the afore-mentioned 2007 blog post, several years ago on a Windows ME machine.

The OS was infected with a 'desktop.exe' virus. In that case too, the main files of the infection were in a 'windows' system directory and could not be easily removed. At least I could remove most of the bad files in 'safe' mode, but I could not clean everything. Internet Explorer and related system components remained 'flaky'. I had to backup and re-install the OS from CD's supplied with the machine.

This infection is even more resistant to deletion. So I am resigned to re-installing XP. This time though, I am going to set up a userid for my wife to use, separate from the default user (= administrator) id that comes with the installation. Also, I plan to install a better firewall than the Microsoft Windows firewall, like the Sunbelt Personal Firewall.


In summary, this is a revolting mess. There are going to be huge disruptions to peoples' lives --- not only in dealing with fixing their Microsoft operating systems --- but also in dealing with the theft of their personal information --- including userids, passwords, and identity information. And that information is, no doubt, being passed around and sold as you read this, or long before you read this.

Based on what I have experienced and on what I know about non-Microsoft operating systems (alternative security setups), I know that Microsoft should be held accountable for many of these losses.

Bottom of page on blog-topic Zbot Virus (Trojan Horse) --- on Microsoft Windows.

To return to a previously visited web page location, click on the
Back button of your web browser, a sufficient number of times.
OR, use the History-list option of your web browser.
Or ...

< Go to Top of Page, above. >
< Go to Blog menu. >
< Go to Home page. >

Or you can scroll up, to the top of this page.

Posted 2009 Mar 17.
A few introductory paragraphs added 2009 Aug 07.
Added page breaks for better printing 2009 Aug 11.
Minor format changes 2013 Apr 16.