Troj/ZbotMem-B

Posted: February 17, 2012

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	5/10
Infected PCs:	30

First Seen:	February 17, 2012
Last Seen:	July 13, 2022
OS(es) Affected:	Windows

Troj/ZbotMem-B is an alternate detection name for Trojan.Zbot, a Trojan that specializes in using sophisticated techniques to steal bank-associated credentials and FTP login information. Because Troj/ZbotMem-B is only used by anti-malware products that have detected a Zbot Trojan as being resident in memory, you should assume that a Trojan.Zbot is active on your computer any time an alert or scanner result indicative of Troj/ZbotMem-B appears. SpywareRemove.com malware researchers recommend that you respond to Troj/ZbotMem-B warnings by allowing the relevant anti-malware program to finish detecting and deleting Zbot, since allowing Troj/ZbotMem-B to be ignored can compromise sensitive information on your PC, up to and including allowing criminals to have access to your bank account and related finances.

Troj/ZbotMem-B – a Portent of PC Threats at Work Against Your Best Interests

As a detection label that's specific to Zbot Trojans that are using your computer's memory, Troj/ZbotMem-B and related PC threats may be detectable from Windows Task Manager and similar types of process-viewing utilities by watching for unusual memory expenditures. However, since Zbot Trojans that are associated with Troj/ZbotMem-B have been known to mislabel their components as Windows files (such as svchost.exe), use randomly-generated file names and use file-injection attacks to launch themselves from within Windows components, SpywareRemove.com malware experts don't recommend that you try to locate all components of a Troj/ZbotMem-B infection without assistance from anti-malware software. Even if Troj/ZbotMem-B is correctly identified and deleted, related Zbot Trojans are likely to have made changes to your Windows Registry that should be undone by appropriate security software or a PC security expert.

Some attacks that are traditionally linked to Troj/ZbotMem-B and its Zbot Trojans include:

Alterations to your web browser that reduce its security. These changes are Registry-based and can't be undone by altering your web browser's normal security settings.
Backdoor attacks that allow remote criminals to have a limited amount of access to your PC, including hijacking your web browser or installing other PC threats onto your computer.
Code injection attacks that allow Troj/ZbotMem-B to insert its own code into normal Windows processes, particularly processes like explorer.exe that will launch automatically and be open as a normal part of your computer's operations.
Theft of personal information, such as account login data, from websites that are related to finances or bank institutions (such as bankofamerica.com). Troj/ZbotMem-B may also steal information that Troj/ZbotMem-B roots out of browser-related files, such as caches and cookies.
Troj/ZbotMem-B may also use injection attacks to target websites, altering them to encourage you to provide additional information for its criminal partners to steal.
Most dangerously, SpywareRemove.com malware analysts have also found that Trojan variants that are detected as Troj/ZbotMem-B may attempt to shut down processes that are linked to PC security programs. However, as of the time of this writing, Troj/ZbotMem-B's list of targeted security applications isn't very extensive, being limited to two brands of firewall products.

The Long-Term Results of a Troj/ZbotMem-B Threat

If Troj/ZbotMem-B is allowed to continue its attacks without hindrance, your bank accounts and other online accounts will be placed in high danger of being compromised by remote criminal attacks. Changing passwords and other security-related information from your PC will be ineffectual as long as Troj/ZbotMem-B can continue to gather this information from your computer, and Troj/ZbotMem-B's constant presence in memory may also hamper your computer's performance.

Since detecting Troj/ZbotMem-B is very difficult, SpywareRemove.com malware experts recommend that you use anti-malware products to scan your PC regularly for Troj/ZbotMem-B, rather than attempting to spot symptoms of a Troj/ZbotMem-B infection. Zbot Trojans contain many variants and may, accordingly, may be detected under different names, but prominent aliases for Troj/ZbotMem-B include Packed.Win32.Krap.hm, Packed.Win32.Krap.hd, TR/Spy.ZBot.aqnc and TR/Agent.HM.271.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

C:\Documents and Settings\<username>\Application Data\Zomuu\roak.exe

File name: C:\Documents and Settings\<username>\Application Data\Zomuu\roak.exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file

C:\Documents and Settings\<username>\Application Data\Yzox\kovup.exe

File name: C:\Documents and Settings\<username>\Application Data\Yzox\kovup.exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file

C:\Documents and Settings\<username>\Application Data\Usobny\fyfic.bud

File name: C:\Documents and Settings\<username>\Application Data\Usobny\fyfic.bud
Mime Type: unknown/bud
Group: Malware file

Registry Modifications

The following newly produced Registry Values are:

HKEY..\..\..\..{Subkeys}HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run {EAB70ED9-8221-5696-81BE-3D6E45787785}HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Privacy\CleanCookies