Home / malwarePDF  

Trojan.Spy.Zeus.W


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Trojan.Spy.Zeus.W is also known as Trojan-Spy.Win32.Zbot.sot, PWS:Win32/ZBot.M.

Explanation :

The malware has the icon of a *.chm file ( Microsoft Compiled HTML Help File ). This technique is used as a social engineering method to trick the user to launch the infection. The file is usualy send as an attachment with spam email.

The malware comes encrypted and under the protection layer we can find Trojan.Spy.Zeus.C.
The virus injects code into winlogon.exe allowing it to create files undetected and run on the computer without the knowledge of the user.
It copies itself to
%WINDIR%system32sdra64.exe
but with a different size and creates the "lowsec" folder containing 3 files containing encrypted data. The files are not visible using normal Windows Explorer even with the option of seeing hidden and system files on.

In order to run every reboot, the malware modifies
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit
registry key so it will not be visible under normal Run key checking. The malware also creates the following mutex
__SYSTEM__64AD0625__
on the infected machine. The malware has the capability to be used for stealing information, remote control or spamming.

Last update 21 November 2011

 

TOP