Home / malware Trojan.Spy.ZBot.UO
First posted on 21 November 2011.
Source: BitDefenderAliases :
Trojan.Spy.ZBot.UO is also known as TRojan-Spy.Win32.Zbot.gen, PWS:Win32/Zbot.PM, W32/Zbot.AA.
Explanation :
The malware sometimes has the icon of a *.chm file ( Microsoft Compiled HTML Help File ) or other known icon. This technique is used as a social engineering method to trick the user to launch the infection. The file is usually sent as an attachment with spam email.
The malware comes encrypted and under the protection layer we can find Trojan.Spy.ZBot.UI .
The virus injects code into winlogon.exe allowing it to create files or connect to the internet undetected and run on the computer without the knowledge of the user.
It copies itself to
%WINDIR%system32sdra64.exe
but with a different size and creates the "lowsec" folder containing 3 files with encrypted data. The files are not visible using normal Windows Explorer even with the option of seeing hidden and system files on.
In order to run every reboot, the malware modifies
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit
registry key so it will not be visible under normal Run key checking. The malware also creates the following mutex
__SYSTEM__64AD0625__
on the infected machine.Last update 21 November 2011