Trojan-Spy.Win32.Zbot.gtvm

Trojan-Spy.Win32.Zbot.gtvm is a variant of Zeus, a Trojan that's especially noted for its widespread nature, association with Blackhole Exploit Kits and complicity in attacks that steal bank account information. Spam e-mail messages are the main infection vector for Trojan-Spy.Win32.Zbot.gtvm, which is installed after victims click a mislabeled that's disguised to look as though it's pointing the official website for the Air Canada airline. Like any major variant of Zeus, Trojan-Spy.Win32.Zbot.gtvm uses advanced methods to avoid being seen while Trojan-Spy.Win32.Zbot.gtvm reduces your PC's network security and attempts to steal private information (such as passwords) for the profit of the criminals behind Trojan-Spy.Win32.Zbot.gtvm. In cases where plain and simple e-mail safety procedures fail, SpywareRemove.com malware researchers recommend using good anti-malware applications to find and delete Trojan-Spy.Win32.Zbot.gtvm if Trojan-Spy.Win32.Zbot.gtvm is installed.

Why the Visible URL Isn't All You Should Care About Before You Click Trojan-Spy.Win32.Zbot.gtvm's Link

Trojan-Spy.Win32.Zbot.gtvm, like many other variants of Zeus, as well as members of the Bredo family of Trojans, uses automated e-mail spam to distribute itself to fresh victims. The current templates for Trojan-Spy.Win32.Zbot.gtvm spam display themselves as online flight bookings from Air Canada, with the actual e-ticket supposedly found at the end of an included web link. Since the e-mail for Trojan-Spy.Win32.Zbot.gtvm indicates that the flight already has been purchased, it seems likely that malware authors hoped that victims would click the link out of desperation to cancel and regain a refund from an unwanted flight. On a superficial inspection, the included link appears to point to aircanada.com.

Of course, the link doesn't lead to any sort of ticket, but to a ZIP archive that contains Trojan-Spy.Win32.Zbot.gtvm. The URL that hosts Trojan-Spy.Win32.Zbot.gtvm also uses a HXXP format, which SpywareRemove.com malware experts have noted as a common and simple way of attempting to evade basic security features on various web browsers.

Because Trojan-Spy.Win32.Zbot.gtvm is a new variant of Zeus, some anti-malware products may not yet have a developed definition for Trojan-Spy.Win32.Zbot.gtvm. Trojan-Spy.Win32.Zbot.gtvm also may be identified heuristically as Trojan.Agent/Gen-Festo or, simply, Trojan.Zbot.

What a Ticket for Trojan-Spy.Win32.Zbot.gtvm Will Cost Your Computer

Although Trojan-Spy.Win32.Zbot.gtvm is a new version of Zeus, Trojan-Spy.Win32.Zbot.gtvm continues to include the same basic features that any Zeus Trojan is well-known for using against hapless PCs. As noted by SpywareRemove.com malware analysts, attacks by Trojan-Spy.Win32.Zbot.gtvm can include (but aren't restricted to):

• Attempts to change your security settings, particularly with regards to your firewall, that will allow Trojan-Spy.Win32.Zbot.gtvm to contact a remote server without your permission.
• Theft of confidential information, including account names, passwords, credit card numbers and other personal information – especially information that's related to finances or your identity. As was documented in other versions of Zeus and their 'man in the browser' attacks, Trojan-Spy.Win32.Zbot.gtvm even may insert malicious content into bank web pages and request for additional information in the guise of new security procedures.
• The installation of other malware that may make additional attacks on your computer.
• Attempts to block your security applications and features.

Even though Trojan-Spy.Win32.Zbot.gtvm tries to block anti-malware products that could be used to remove Trojan-Spy.Win32.Zbot.gtvm safely, such issues can be remedied by disabling Trojan-Spy.Win32.Zbot.gtvm before you start a system scan. SpywareRemove.com malware researchers recommend that you attempt to use the Safe Mode feature of Windows first, and use additional measures as required.

Technical Details