TSPY_ZBOT.AMM

Posted: October 17, 2012

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	9/10
Infected PCs:	64

First Seen:	October 17, 2012
Last Seen:	January 8, 2022
OS(es) Affected:	Windows

TSPY_ZBOT.AMM is a variant of Zeus (also referred to as Zbot or, more rarely Wsnpoem) that uses advanced attacks to harm your PC's security while TSPY_ZBOT.AMM steals e-mail and bank-related information. Like any variant of Zeus, TSPY_ZBOT.AMM is very difficult to detect without advanced anti-malware tools and can compromise bank accounts without any symptoms of its actions appearing on your screen. SpywareRemove.com malware researchers recommend two main forms of protection against TSPY_ZBOT.AMM: firstly, avoiding the spam e-mail messages that TSPY_ZBOT.AMM uses to distribute itself, and secondly, deleting TSPY_ZBOT.AMM with anti-malware software if your computer has been compromised.

How Keeping Abreast of Your Updates Can Land You in TSPY_ZBOT.AMM's Clutches

TSPY_ZBOT.AMM uses e-mail to distribute itself through a second piece of malware that's identified as TSPY_FAREIT.SMC. E-mail messages that distribute TSPY_ZBOT.AMM and other Zeus variants claim to be WebEx conference invitations or PayPal transaction links. In either case, clicking the link will take you to a fake update site for Adobe's Flash software. SpywareRemove.com malware researchers have found that this site is outlined to appear very similar to the real one and emphasize that you should avoid blindly following e-mail links to websites that offer downloads.

Downloading this file infects your PC with TSPY_FAREIT.SMC, which also includes some FTP account-based spyware functions, in addition to being able to install variants of Zeus. At this time, TSPY_ZBOT.AMM and TSPY_ZBOT.LAG Trojans are the only variants that SpywareRemove.com malware analysts have found to use this distribution strategy.

TSPY_ZBOT.AMM is designed to steal information that's related to bank accounts and may use HTML injection (AKA man-in-the-browser or MitB) attacks to assist with this goal. SpywareRemove.com malware researchers warn that you also should consider other forms of personal data at risk such as passwords for other accounts, e-mail addresses and personal identity information. Cookies (temporary files that are websites use to store user-specific data) and address books are explicitly targeted for theft by TSPY_ZBOT.AMM. As sophisticated spyware, TSPY_ZBOT.AMM doesn't show any visible symptoms.

Prying TSPY_ZBOT.AMM Off of Every One of Your Memory Processes

As can be expected from a spinoff from Zeus, TSPY_ZBOT.AMM uses multiple means to hide itself from both human eyes and security software. By default, TSPY_ZBOT.AMM injects itself into, not just one, but all memory processes, which ensures that TSPY_ZBOT.AMM will remain resident-in-memory and complicate its removal. TSPY_ZBOT.AMM also bypasses the default Windows firewall and modifies Internet Explorer's settings in security-decreasing ways.

You should try to disable TSPY_ZBOT.AMM before you make any attempts to remove TSPY_ZBOT.AMM completely. For their part, SpywareRemove.com malware research team recommends loading your OS from a clean USB drive and then booting into Safe Mode. This will provide you with a clean environment from which you can use anti-malware programs to delete TSPY_ZBOT.AMM.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

%User Profile%\Application Data\Microsoft\Address Book\{username}.wab

File name: %User Profile%\Application Data\Microsoft\Address Book\{username}.wab
Mime Type: unknown/wab
Group: Malware file

%User Profile%\Application Data\{RANDOM 2}\{RANDOM }.{RANDOM }

File name: %User Profile%\Application Data\{RANDOM 2}\{RANDOM }.{RANDOM }
Mime Type: unknown/{RANDOM }
Group: Malware file

%User Profile%\Application Data\{RANDOM1}\{RANDOM}.exe

File name: %User Profile%\Application Data\{RANDOM1}\{RANDOM}.exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file

Registry Modifications

The following newly produced Registry Values are:

HKEY..\..\{CLSID Path}HKEY_CURRENT_USER\Software\Microsoft\{RANDOM}HKEY..\..\{Value}HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run {GUID} = "%User Profile%\Application Data\{RANDOM1}\{RANDOM}.exe"HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PrivacyCleanCookies = "0"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List{port}:UDP = "{port}:UDP:Enabled:UDP {port}"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List{port}:TCP = "{port}:TCP:Enabled:TCP {port}"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List%Windows%\explorer.exe = "%Windows%\explorer.exe:*:Enabled:Windows Explorer"HKEY..\..\..\..{Subkeys}HKEY_CURRENT_USER\Software\Microsoft\WABHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Privacy