Home Malware Programs Trojans Trojan.Zbot

Trojan.Zbot

Posted: March 4, 2007

Threat Metric

Ranking: 16,603
Threat Level: 8/10
Infected PCs: 5,127
First Seen: July 24, 2009
Last Seen: October 5, 2023
OS(es) Affected: Windows

Trojan.Zbot is a broad subtype of backdoor Trojans that steal passwords and other confidential information, while also weakening the security of the infected PC. Because Trojan.Zbot encompasses many different Zbot variants, such as Trojan-Spy.Win32.Zbot.apqa, TSPY_ZBOT.FAZ, Trojan-Spy.Win32.Zbot.boux or Trojan-Spy.Win32.Zbot.bfur, the symptoms of a Trojan.Zbot infection can be very diverse or, in some cases, nonexistent. However, SpywareRemove.com malware research team have found all variants of Trojan.Zbot to be extremely dangerous, and the majority of Trojan.Zbot infections will seek to harvest specific information that's related to account logins or finances. If you suspect that a Trojan.Zbot Trojan has compromised your computer, be ready to take extreme measures, including use of advanced anti-malware software, to remove Trojan.Zbot and shut down the violation of your privacy.

How Trojan.Zbot Creeps into Your PC with Zero Suspicion

Trojan.Zbot Trojans and other forms of backdoors have been noted for using deceptive methods of infecting PCs, but SpywareRemove.com malware researchers have noticed a particular rise in advanced social engineering tactics to spread Trojan.Zbot. Common ways of being infected by Trojan.Zbot can include:

  • Social networking links. Variants of Trojan.Zbot may disguise themselves in the form of fake video or pictures files, or use compromised accounts to send themselves to social contacts. Facebook is an especially popular target for certain variants of Trojan.Zbot, such as TSPY_ZBOT.FAZ. Never download a file, even if it's sent by a friend, unless you're certain that it's legitimate.
  • Fake software updates. Adobe Flash updates, codec updates and general movie player updates are all exploited to install Trojan.Zbot and other Trojans. Never acquire software updates from unofficial or disreputable sources, and always navigate to official websites by typing the URL rather than following links that have been given to you.
  • Fake infection alerts. These warnings are often embedded in fake online scanners that trigger automatically, and are a primary distribution method for rogue security software, as well as Trojans that install scamware.

What Happens in the Aftermath When Trojan.Zbot Hits

Variants of Trojan.Zbot Trojans may show different symptoms, and many may show no symptoms at all. However, SpywareRemove.com malware experts have found the following traits to be extremely common, based on standard operating procedures for typical Trojan.Zbot infections:

  • Trojan.Zbot will launch itself and remain active without permission and may use some method to conceal itself, such as by renaming itself after a normal system file or even by using advanced techniques to inject its code into system processes. These hiding attempts can be noted if you look for extra memory processes or unusual memory usage for a process.
  • Trojan.Zbot may open your network ports and disable or alter your firewall to allow free networking traffic.
  • Other security programs besides your firewall may also be blocked by Trojan.Zbot; these blockades may use fake error messages to trick you into thinking that these programs are infected.
  • Browser hijacks may redirect you to phishing websites or other harmful sites that try to steal private information, such as your credit card number or account password. Browser hijacks can be noticed when your web browser redirects itself to a strange website, when your homepage settings are changed or when pop-ups appear without explanation.

Because most Trojan.Zbot Trojans that SpywareRemove.com malware researchers are familiar with have a tendency to focus on stealing passwords and financial data (such as Bank of America account data), you should consider any possible Trojan.Zbot attack an extreme threat and react with appropriate caution.

Aliases

Generic7_c.BULS [AVG]W32/Bublik.AKIQ!tr [Fortinet]Backdoor.Win32.DarkKomet [Ikarus]Trojan/Win32.Jorik [AhnLab-V3]Heuristic.BehavesLike.Win32.Suspicious-BAY.S [McAfee-GW-Edition]TR/Rogue.8877826.1 [AntiVir]Trojan.PWS.Stealer.1932 [DrWeb]Trojan.Win32.Bublik.akiq [Kaspersky]AutoIt:MalOb-J [Trj] [Avast]Artemis!1C946EE5948C [McAfee]Generic32.CDAA [AVG]Trojan.Win32.Spy2 [Ikarus]Trojan.PWS.Multi.1119 [DrWeb]Trojan-Dropper.Win32.Agent.hjwv [Kaspersky]W32/Jorik_Zbot.PLC!tr [Fortinet]
More aliases (674)

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



%APPDATA%\Default Folder\Default File.exe File name: Default File.exe
Size: 279.07 KB (279072 bytes)
MD5: 5fa02bc9691141176fc57bdce0bb534b
Detection count: 438
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\Default Folder
Group: Malware file
Last Updated: July 21, 2016
%APPDATA%\Default Folder\GoogleUpdate.exe File name: GoogleUpdate.exe
Size: 279.07 KB (279072 bytes)
MD5: de75d9858dd25f83ee666c4890367023
Detection count: 368
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\Default Folder
Group: Malware file
Last Updated: July 21, 2016
%APPDATA%\ace.exe.exe File name: ace.exe.exe
Size: 358.17 KB (358176 bytes)
MD5: 2af6923df61c3800fb4957cd5163646d
Detection count: 276
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%
Group: Malware file
Last Updated: July 7, 2017
%APPDATA%\Default Folder\sys_config.exe File name: sys_config.exe
Size: 278.56 KB (278560 bytes)
MD5: 2c770a08cf50a31e138aa505c81a8cb4
Detection count: 89
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\Default Folder
Group: Malware file
Last Updated: July 21, 2016
file.exe File name: file.exe
Size: 127.01 KB (127010 bytes)
MD5: ddff58440405b2efcd1a0c9526030712
Detection count: 86
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: October 7, 2016
file.exe File name: file.exe
Size: 270.33 KB (270336 bytes)
MD5: 431ceaa2baef14549d3fc9959b33f872
Detection count: 73
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: July 11, 2017
file.exe File name: file.exe
Size: 376.83 KB (376832 bytes)
MD5: f59734c38a813c39afc56c1821ed2f73
Detection count: 72
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: May 5, 2017
file.exe File name: file.exe
Size: 889.85 KB (889856 bytes)
MD5: bca3e9732a8773753c96ed33477183d4
Detection count: 62
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: April 12, 2017
file.exe File name: file.exe
Size: 188.41 KB (188416 bytes)
MD5: 1e76d0e3d7c1ecc56ab0036ea0e3b16c
Detection count: 62
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: July 14, 2017
file.exe File name: file.exe
Size: 270.33 KB (270336 bytes)
MD5: 829d8db0a02b42ebb83f69270e866f5c
Detection count: 61
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: September 26, 2016
%APPDATA%\Default Folder\Elgato.exe File name: Elgato.exe
Size: 280.09 KB (280096 bytes)
MD5: d9a57b7f55011099f22eac398f8683a3
Detection count: 47
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\Default Folder
Group: Malware file
Last Updated: July 21, 2016
%APPDATA%\ace.exe.exe File name: ace.exe.exe
Size: 168.14 KB (168149 bytes)
MD5: fc504bb9ddd9108d5ef6ec00e1175a28
Detection count: 47
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%
Group: Malware file
Last Updated: July 7, 2017
file.exe File name: file.exe
Size: 119.13 KB (119138 bytes)
MD5: 2fae551124df3827bbe80db1faaa301f
Detection count: 42
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: February 18, 2022
%APPDATA%\Default Folder\Defcon.exe File name: Defcon.exe
Size: 562.17 KB (562176 bytes)
MD5: 02dbd6164feb882e0c5fbd546ded3781
Detection count: 30
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\Default Folder
Group: Malware file
Last Updated: July 21, 2016
file.exe File name: file.exe
Size: 434.17 KB (434176 bytes)
MD5: 6507c499f9f66673de194ecf2b1b0c0c
Detection count: 15
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: November 3, 2016
file.exe File name: file.exe
Size: 312.83 KB (312832 bytes)
MD5: 4d7f59a1fdf8524ef18f984530c7b095
Detection count: 15
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: October 30, 2017
file.exe File name: file.exe
Size: 663.55 KB (663552 bytes)
MD5: eda57630f1f05be1349bd894b55ddc8c
Detection count: 13
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: November 8, 2016
%WINDIR%\SysWOW64\ntos.exe File name: ntos.exe
Size: 1.11 MB (1112576 bytes)
MD5: 9893493ec0578ac0194366a4e027e829
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Path: %WINDIR%\SysWOW64
Group: Malware file
Last Updated: April 28, 2016
file.exe File name: file.exe
Size: 201.72 KB (201728 bytes)
MD5: 41176e654dc58bce22ab124c9bba4bd2
Detection count: 2
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: October 17, 2017
file.exe File name: file.exe
Size: 359.94 KB (359941 bytes)
MD5: 8674aea8a06a15702e8f7e73b1bd5399
Detection count: 1
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: June 18, 2017
file.exe File name: file.exe
Size: 405.5 KB (405504 bytes)
MD5: 0efa791652688dba9b98a058f34f3fc8
Detection count: 1
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: January 21, 2018
C:\Users\<username>\AppData\Roaming\Notepad++\plugins\config\NppFTP\shortcuts.exe File name: shortcuts.exe
Size: 160.76 KB (160768 bytes)
MD5: 5cb5a2617939cc2428f4f24b9f56421f
Detection count: 0
File type: Executable File
Mime Type: unknown/exe
Path: C:\Users\<username>\AppData\Roaming\Notepad++\plugins\config\NppFTP\shortcuts.exe
Group: Malware file
Last Updated: January 21, 2018

More files

Registry Modifications

The following newly produced Registry Values are:

Regexp file mask%APPDATA%\Microsoft\Windows\ScreenToGif\netprotocol.exe%USERPROFILE%\winsvcs.exeHKEY..\..\{Value}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Userinit" = "%System%\userinit.exe, %System%\sdra64.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\..{RunKeys}HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"userinit" = "%UserProfile%\Application Data\sdra64.exe"

Additional Information

The following URL's were detected:
2sdfhs8d7fsh34d8f7s.org51qn.netav4321.usbatmu.cnclicksurfcash.netcrisis1s.comfordearfriends.comhotdomainworld.infokakajz.cnlilj.ussfqjsf.cnskp360.com

Related Posts

3 Comments

  • KIS 2012 says:

    I'm using Kaspersky in both my laptop and desktop. I previously used the antivirus version and it didn't use that much memory as much as the internet security version doesn. So, i again installed the antivirus version but I don't see much difference. My desktop has only 256RAM. I can't do anything else if I open 2 application. But I can't rely on other antivirus softwares because their detection rate suck. (believe me, I'm an antivirus pro). So. What should I do now?

  • Pasquale Alagna says:

    When I first started to expeirence the dreaded Win 7 Anti Virus pop ups, I created a new admin profile and deleted the infected one. The profile is working fine but my fire wall is turned off. It gives me a error message when I try to turn it back on. I tried to delete its registry entires but there is only about 5 of them and when I right click on them the delete option is not available.<br />When I click to the space to the right it says "default" and there is a option available when I right click to delete. These are the five entries that I see.<br />HKEY_CLASSES_ROOT<br />HKEY_CURRENT_USER<br />HKEY_LOCAL_MACHINE<br />HKEY_USERS<br />HKEY_CURRENT_CONFIG<br />The message to the right of these entries does not change when I click on the different HKEY's. Should I delete this message to the right? Is this the virus? What should I do?

  • Andie says:

    I have this virus in my pc and I run the pc with microsoft security essentials. It recognized the virus and says it's removed but when I run the antivirus again it's always the same. I also can't open antivirus websites so my question is can I install spyhunter without unninstal microsoft security essentials or should I unninstal it?
    Thanks and sorry for my english

Loading...