Home / malware Trojan.Spy.ZBot.EPU
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for Trojan.Spy.ZBot.EPU.
Explanation :
At execution this malware creates a folder with a random name in "%Documents and Settings%\%user name%Application Data" and then copies itself in the newly created folder under a new random name(e.g.:"Ihik
ayqa.exe","Mytuarkik.exe"...).
It will execute the newly created copy, which will drop a batch file that will delete the original file and the batch file itself. After this, the newly created process will inject malicious code in various running processes(e.g.: "explorer.exe","ctfmon.exe"...). This allows the malware to run his code and to connect to the internet,to send private data or to download other malware programs, invisible to the user. After the code injection is complete this process will close.
From the injeceted code it creates a new registry value under "HKCUSoftwareMicrosoftCurrentVersionWindowsRun" registry key in order to restart the malware after each reboot. This registry values is created continuosly, making the user unable to delete it.Last update 21 November 2011
