Win32/Spy.Zbot.ZR

Heads up vigilant computer users, as this particular threat's name depicts, a new variant of the Zbot Trojan has been spotted making rounds all across the Web.

Win32/Spy.Zbot.ZR is a newer, modified version of the Zbot Trojan – a malicious Trojan-based computer security threat that has been plaguing the cyber world for a while now – that is increasingly becoming known for its privacy invasive behavior. In other words, Win32/Spy.Zbot.ZR poses a definite data security risk, as well as seriously threatens any and all confidential, sensitive information stored on an infected computer system.

This means that this malicious, privacy invasive Trojan possesses a special proclivity for logging, storing, transmitting and stealing all types of confidential, personal and financial information off of the computer systems that Win32/Spy.Zbot.ZR successfully manages to infect. Such type of data at risk when dealing with a Win32/Spy.Zbot.ZR infection, are online bank account details, passwords, usernames, credit card information and other similar types of personal data.

Win32/Spy.Zbot.ZR's Direct Relationship to Malicious Email Attachments

Categorized as a backdoor Trojan, Win32/Spy.Zbot.ZR is reported to be spread and distributed, most often, via malicious spam emails containing infected attachments, but it has also been suggested that this Trojan may also be utilizing corrupt script on infected web domains and bundling various third-party file downloads with a seditious code that propagates Win32/Spy.Zbot.ZR.

The specific spam email messages and malicious attachments that have been directly linked to the malevolent Trojan distribution campaign, that works to propagate Win32/Spy.Zbot.ZR by spamming random computer users' inboxes with infected email attachments, are reported to bear the subject line: 'So now you're on LinkedIn: What's Next?'

According to SpywareRemove.com security analysts, this new spam-based Trojan propagation campaign is a follow up campaign to a similar one that was seen in September 2010. Additionally, it has been revealed that, though over a year has passed since the previous round of malicious LinkedIn spam messages were generated and sent out, the malware product being distributed has not changed at all.

The malicious emails that are being employed to endemically distribute Win32/Spy.Zbot.ZR are, reportedly, sent from the phony email address, 'LinkedIn .' What's more, these spam-type emails contained forged headers and LinkedIn branding that are meant to offer the corrupt emails a pretense of legitimacy.

If you have been a recipient of one of these malicious Trojan propagating spam messages, be sure NOT to clink on any links or open up any email attachments contained within the email messages. Reportedly, if you do click on one of the malicious links or attachments, Win32/Spy.Zbot.ZR is automatically and immediately downloaded onto your computer system, disguised as an Adobe Flash update.

Other Important Facets of the Win32/Spy.Zbot.ZR Trojan

Win32/Spy.Zbot.ZR has also been spotted functioning under several other aliases, a few of which are as follows:

– Trojan-Spy.Win32.Zbot.aptt [Kaspersky]
– Trojan.Zbot [PCTools]
– Trojan.Generic.KD.44402

Upon being successfully downloaded and installed onto a targeted computer system, Win32/Spy.Zbot.ZR will immediately begin working to make a variety of changes to the Windows registry located on infected computer systems, generate random system files, create new directories and processes, as well as an attempt to connect to a remote server, in order to transit any stolen data collected by this nasty backdoor Trojan.

Technical Details