Troj/Zbot-BWI

Posted: May 15, 2012

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	9/10
Infected PCs:	5

First Seen:	May 15, 2012
Last Seen:	September 17, 2019
OS(es) Affected:	Windows

Troj/Zbot-BWI is a backdoor Trojan that may also include some spyware or virus-related characteristics as per the usual capabilities for Zbot family-based Trojans. Just like most members of its family, Troj/Zbot-BWI is distributed by spam e-mail campaigns that pretend to be notifications from a mail delivery service about a failed delivery attempt. However, since genuine mail delivery companies don't send e-mails with file attachments like Troj/Zbot-BWI, you should feel comfortable in identifying and deleting Troj/Zbot-BWI's fraudulent e-mail messages as soon as you catch their clutter in your virtual mailbox. Because Troj/Zbot-BWI can utilize a variety of code-injection techniques to conceal itself and may also be installed alongside a second PC threat (identified as Mal/BredoZp-B), SpywareRemove.com malware experts recommend using dedicated anti-malware programs to detect and remove Troj/Zbot-BWI and any other Trojans that may have come with Troj/Zbot-BWI.

Why You Shouldn't Have Any Interest in Unwrapping Troj/Zbot-BWI's Package

Troj/Zbot-BWI uses the common scam of being attached to fraudulent shipping and delivery notices to lure victims into opening the .zip file that encloses both Troj/Zbot-BWI and Mal/BredoZp-B. The latest template Troj/Zbot-BWI uses continues to utilize the same 'DHL Package delivery status' scam that's common to other members of its family. Naturally, the actual DHL will never send you e-mail messages at random and request that you open a file attachment, due to the general security risk that file attachments pose. However, if you're unaware of this and open the .zip file that comes attached to Troj/Zbot-BWI's e-mail message, your computer will be immediately infected by both Troj/Zbot-BWI and Mal/BredoZp-B.

SpywareRemove.com malware analysts have confirmed that both Mal/BredoZp-B and Troj/Zbot-BWI are Trojan variants from families that typically include PC threat-downloading functions, which makes a quick response to infection by the above route a necessity to stop the attack from snowballing uncontrollably. Even by itself, Troj/Zbot-BWI may engage in extremely hazardous attacks such as:

Collecting sensitive information by using API hooks and other advanced techniques. In many cases, these attacks are targeted at FTP management programs like CoreFTP, FileZilla and Total Commander. E-mail account credentials and login data for some services (such as Windows Live) may also be targeted for theft.
Attacking your web browser's security by disabling a variety of baseline features, such as anti-phishing protection and IE Internet zone security settings, as well as deleting cookies. These attacks have been known to target multiple brands of browsers.
Allowing your PC to be controlled via remote servers that are contacted in a semi-randomized fashion (Troj/Zbot-BWI can acquire its instructions from a set and lengthy list of various domains).

The Challenge in Evicting Troj/Zbot-BWI

Like other Zbot variants, Troj/Zbot-BWI may include virus-like functions that allow Troj/Zbot-BWI to infect other .exe files on your hard drive. Even without this threat, Troj/Zbot-BWI's basic execution is likely to involve injection of its code into normal Windows processes like explorer.exe or iexplore.exe, which allows Troj/Zbot-BWI to launch undetectably and automatically. Other than seeing unusual resource usage from these processes, there may not be obvious signs of a Troj/Zbot-BWI infection on your computer, which is why SpywareRemove.com malware researchers suggest the use of suitable anti-malware products for Troj/Zbot-BWI's identification – no matter where Troj/Zbot-BWI is hiding.

Troj/Zbot-BWI can be removed by the same types of software that are capable of detecting Troj/Zbot-BWI, but as a Trojan that was identified in May 2012, Troj/Zbot-BWI is still quite new to the Trojan scene and may require you to update your anti-malware scanners. SpywareRemove.com malware experts only have one small crumb of good news to share about Troj/Zbot-BWI so far: the fact that Troj/Zbot-BWI is designed to attack Windows computers, which allows Mac, Linux and other alternatives in operating systems to avoid its attacks entirely.

Technical Details

Registry Modifications

The following newly produced Registry Values are:

HKEY..\..\{Value}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SunJavaUpdateSched = C:\Documents and Settings\All Users\svchost.exe