Troj/Zbot-DSP

Posted: January 29, 2013

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	9/10
Infected PCs:	16

First Seen:	January 29, 2013
Last Seen:	January 21, 2020
OS(es) Affected:	Windows

Troj/Zbot-DSP is a variant of the Zeus that has included enhanced spyware features for stealing bank website-based financial information. As a further development of Citadel, Troj/Zbot-DSP includes additional functions along with multiple methods of targeting and stealing confidential data from your PC. Unlike most Trojans, Troj/Zbot-DSP sets itself apart from its common brethren by being targeted at specific companies that are likely to possess high quantities of financial transaction data (such as Point-of-Sale processing companies). Spywareremove.com malware researchers naturally recommend the use of appropriately powerful anti-malware programs for blocking, detecting or deleting Troj/Zbot-DSP, which avoids any obvious symptoms during its attacks.

Troj/Zbot-DSP: a Spy with Special Targets in Mind

Previous versions of both Zeus and Citadel were known for their broad dissemination strategies that aimed for gathering large quantities of information from any computer that could be infected successfully. As a cut above such generalists, Troj/Zbot-DSP is targeted at financial companies, rather than general personal computers. According to current infection patterns, Canada-based financial companies are especially at risk of being attacked by Troj/Zbot-DSP, which is likely to be distributed through removable devices and/or spam e-mail campaigns.

Troj/Zbot-DSP, like its predecessors, uses several means of gathering personal information without leaving behind much, if any, visible evidence of these attacks. Spywareremove.com malware researchers particularly emphasize the following attacks:

Keylogging, AKA the recording of keyboard input (or typing) to a log file that is then sent to a criminal-controlled server. Some of these functions include features for targeting specific financial programs such as Quickbooks and Sage.
Form-grabbing, or theft of information that's entered into the data-entry forms of various websites. In most cases, forms that are related to passwords for bank accounts, payment-processing accounts and equally-confidential financial information are the intended targets.
Code-injection attacks also may insert additional web content of a malicious nature into normal web pages. A standard code-injection attack from Troj/Zbot-DSP may be used to request further personal information, which usually is disguised in the form of a fake security measure.
Troj/Zbot-DSP can capture screenshots, an attack known as screen-grabbing that is centered on the victim's mouse cursor.

Taking this New Citadel of PC Thievery Down a Peg

Other than some minor resource usage issues and the possibility of unusual web content being noticed, Troj/Zbot-DSP doesn't show any symptoms of its activities even while Troj/Zbot-DSP confiscates highly-sensitive information. Spywareremove.com malware experts take especial pains to encourage employees of financial companies in Canada to guard against potential infection routes from Troj/Zbot-DSP. However, Troj/Zbot-DSP and other Citadel variants are just as able to steal information from PCs in other regions.

Troj/Zbot-DSP is the proper label for Troj/Zbot-DSP when your anti-malware software detects Troj/Zbot-DSP as an unlaunched file. When Troj/Zbot-DSP is launched, Troj/Zbot-DSP may be detected by the label HPmal/Zbot-C while an active-in-memory Troj/Zbot-DSP can be detected by the name Troj/ZbotMem-B. As a sophisticated and dangerous banking Trojan, Troj/Zbot-DSP should be deleted with anti-malware applications with equally potent malware-removal features.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

a.exe

File name: a.exe
Size: 345.13 KB (345135 bytes)
MD5: cf54a73593a98cd7b3812ddffed6669e
Detection count: 68
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: February 12, 2013

emud.exe

File name: emud.exe
Size: 345.13 KB (345135 bytes)
MD5: 976b2ccbd07f1ca8f9322f0438290460
Detection count: 67
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: February 12, 2013

a.exe

File name: a.exe
Size: 345.13 KB (345135 bytes)
MD5: 727d0d82d92b4a399e76a8b473c90616
Detection count: 58
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: February 12, 2013

%APPDATA%\13.exe

File name: 13.exe
Size: 395.26 KB (395264 bytes)
MD5: d2814ded0761709a9cafe5f3c780a774
Detection count: 7
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%
Group: Malware file
Last Updated: August 19, 2013