Home Malware Programs Trojans TSPY_ZBOT.SMQH

TSPY_ZBOT.SMQH

Posted: October 25, 2011

Threat Metric

Threat Level: 8/10
Infected PCs: 73
First Seen: October 25, 2011
OS(es) Affected: Windows

TSPY_ZBOT.SMQH is a new version of the spyware and backdoor Trojan Zeus (also known by the name Keylogger Zeus) that conceals its presence and steals private information such as bank login-related data. Although TSPY_ZBOT.SMQH was only distributed in a temporary string of spam e-mail attacks that targeted Australia-based e-mail addresses, SpywareRemove.com malware analysts have found evidence that TSPY_ZBOT.SMQH could be distributed to other regions in the future. If you've accessed a link from a fake Australian Taxation Office e-mail message, your PC may be infected by TSPY_ZBOT.SMQH, as well as by a related BlackHole Exploit Kit. These infections can result in account break-ins and other attacks that steal personal info and reduce your computer's security so that criminals can control it from external servers. Since TSPY_ZBOT.SMQH is a fairly new PC threat, it's strongly suggested that you update your anti-malware software, before you try to remove TSPY_ZBOT.SMQH with a system scan that analyzes all components of your PC.

TSPY_ZBOT.SMQH – the Latest Update to a Familiar Spy

TSPY_ZBOT.SMQH is just a new and upgraded version of Keylogger Zeus. Although older variants of Zeus have already stolen millions of dollars from online bank accounts, the younger TSPY_ZBOT.SMQH adds some extra safeguards to make its attacks even sneakier – TSPY_ZBOT.SMQH uses UDP ports instead of HTML-based methods of receiving configuration files, along with several other stealth improvements and retains all of original Keylogger Zeus's functions. Attacks from TSPY_ZBOT.SMQH can be changed by different sets of instructions, but the most common TSPY_ZBOT.SMQH dangers that SpywareRemove.com malware analysts have noted include:

  • Stolen keyboard-based information (essentially, anything that you type, including passwords).
  • Stolen login information for financial websites; TSPY_ZBOT.SMQH can be instructed specifically to search for this information on particular websites and in specific files, instead of trying to glean it from your general typing.
  • Stolen information from specific types of money-transferal programs, particularly WebMoney Keeper Classic.

You may not see obvious symptoms of a TSPY_ZBOT.SMQH attack, and to make matters even worse than they were, TSPY_ZBOT.SMQH's propagation method also includes BlackHole Exploit Kit infections. BlackHole Exploit Kits can be used to install other types of harmful software and hack away at your computer's security settings. Changes to your firewall or network ports should be noted as possible signs of infection by TSPY_ZBOT.SMQH, a BlackHole Exploit Kit or other types of backdoor Trojans.

Keeping Yourself Clean of TSPY_ZBOT.SMQH

All currently-recorded TSPY_ZBOT.SMQH infections that SpywareRemove.com malware experts have confirmed have taken place due to contact with a late September 2011 spam e-mail link that infected the PC with TSPY_ZBOT.SMQH and a BlackHole Exploit Kit. This e-mail message pretended to be a message from the Australian Taxation Office, and has, so far, only targeted Australia. Similar attacks may also occur for other countries, however, and if you've clicked such a link, you should immediately enact safety measures to TSPY_ZBOT.SMQH from stealing any information or money that TSPY_ZBOT.SMQH can snatch.

Because of the sophisticated nature of TSPY_ZBOT.SMQH and BlackHole Exploit Kits, manual deletion isn't considered ideal and may even harm Windows if done in an improper manner. SpywareRemove.com malware experts strongly recommend that you run anti-malware tools in Safe Mode to remove TSPY_ZBOT.SMQH with all due efficiency. Afterwards, changing all passwords and similar forms of security-related information may be helpful to prevent account break-ins and other attacks.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



file.exe File name: file.exe
Size: 175.1 KB (175104 bytes)
MD5: fb7ac5ee4d90edd9b4f3c0cdab57a071
Detection count: 46
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: November 2, 2011
file.exe File name: file.exe
Size: 158.2 KB (158208 bytes)
MD5: d15467e6bec5b7c7c8625773c7abe928
Detection count: 45
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: November 2, 2011
file.exe File name: file.exe
Size: 157.69 KB (157696 bytes)
MD5: bc580fb702455f3c40fce5a142171d3f
Detection count: 44
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: November 2, 2011
file.exe File name: file.exe
Size: 178.17 KB (178176 bytes)
MD5: a5b4b95bfe10aa40abab7a3e0a17eab1
Detection count: 43
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: November 2, 2011
file.exe File name: file.exe
Size: 177.66 KB (177664 bytes)
MD5: f7742c9a69790ead1552faf5171c1e90
Detection count: 42
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: November 2, 2011
%User Profile%\Application Data\[RANDOM CHARACTERS] File name: %User Profile%\Application Data\[RANDOM CHARACTERS]
Group: Malware file

Registry Modifications

The following newly produced Registry Values are:

HKEY..\..\..\..{Subkeys}HKEY_CURRENT_USER\Software\Microsoft\[RANDOM CHARACTERS]
Loading...