Win32/Spy.Zbot.YW

Posted: March 28, 2012

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	9/10
Infected PCs:	92

First Seen:	March 28, 2012
OS(es) Affected:	Windows

Win32/Spy.Zbot.YW is a backdoor Trojan and banking Trojan that's installed with the intent of damaging your computer's security and stealing personal information, with an emphasis on bank passwords and other account-related credentials. Although many PC security companies have developed effective identification and removal tools for Win32/Spy.Zbot.YW, Win32/Spy.Zbot.YW doesn't show noticeable symptoms, and you shouldn't attempt to find or remove Win32/Spy.Zbot.YW without appropriate software unless no other options are available. Because Win32/Spy.Zbot.YW's spyware-related functions include broad and extremely potent methods of attack, SpywareRemove.com malware experts recommend that you treat any potential of Win32/Spy.Zbot.YW infection as a high-level threat to your computer until it's resolved.

Win32/Spy.Zbot.YW – a Spy with More Than One Method of Surveillance in Mind

Win32/Spy.Zbot.YW, also identified by the aliases Trojan-Spy.Win32.Zbot.ajws, Suspicious.SillyFDC and PWS:Win32/Zbot.gen!R, is equipped with an entire spectrum of default attacks that can steal information from your PC and violate its security in the process of the theft. SpywareRemove.com malware researchers have also found that Win32/Spy.Zbot.YW, like many backdoor Trojans, can update itself from a remote server or respond to remote commands for other attacks, which lends an element of unpredictability to its behavior. However, the most common attacks from Win32/Spy.Zbot.YW utilize techniques such as the ones noted here:

Win32/Spy.Zbot.YW will launch itself as a background process that runs whenever Windows starts.
Win32/Spy.Zbot.YW targets cookies, passwords and PC identification information and transmits these stolen data to its remote server, where it can be abused in future attacks. Information-gathering methods can include keylogging, monitoring of your online activities and screen captures.
Win32/Spy.Zbot.YW can hook itself into various Windows APIs to conceal its attacks and gather additional information.
Lastly, Win32/Spy.Zbot.YW will create a backdoor vulnerability on your PC that allows criminals to access and control the machine from a C&C server. This may be used for other attacks, including installing other types of malicious software.

Why Spying Out Win32/Spy.Zbot.YW Isn't Easy

As is typical of spyware, Win32/Spy.Zbot.YW doesn't show visible symptoms of its attacks and may not have an obvious memory process or file components. Despite this shroud of invisibility around Win32/Spy.Zbot.YW's structure, SpywareRemove.com malware research team encourages you to delete Win32/Spy.Zbot.YW with qualified anti-malware software right away, since Win32/Spy.Zbot.YW is capable of targeting extremely sensitive financial information for theft. Ideally, you should attempt to shut Win32/Spy.Zbot.YW down before you remove Win32/Spy.Zbot.YW in a scan, which will guarantee that all of Win32/Spy.Zbot.YW's components are removed.

Common means of disabling PC threats like Win32/Spy.Zbot.YW include booting in Safe Mode, booting from a removable drive or simply switching to a different operating system. SpywareRemove.com malware experts also note that any software that gets rid of Win32/Spy.Zbot.YW should also be capable of undoing its setting changes, such as alterations to the Windows Registry, since these changes may be a source of other issues unless they're also removed along with Win32/Spy.Zbot.YW.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

waulldon6.htm

File name: waulldon6.htm
Size: 343.02 KB (343024 bytes)
MD5: 538037d269ad3ca8fabffcd2c82548ed
Detection count: 94
Mime Type: unknown/htm
Group: Malware file
Last Updated: March 29, 2012

wnineas.exe

File name: wnineas.exe
Size: 343.02 KB (343024 bytes)
MD5: 414a885a60aa9d86e389304f49f3b272
Detection count: 91
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: March 29, 2012

tinleedisu7.tmp

File name: tinleedisu7.tmp
Size: 343.02 KB (343024 bytes)
MD5: c9b59e8b1b2cf0637faba0640a1b4e7d
Detection count: 80
File type: Temporary File
Mime Type: unknown/tmp
Group: Malware file
Last Updated: March 29, 2012

ritoced2.jpg

File name: ritoced2.jpg
Size: 343.02 KB (343024 bytes)
MD5: 5b308a79135a990c1814691e757b81d1
Detection count: 79
Mime Type: unknown/jpg
Group: Malware file
Last Updated: March 29, 2012

ewty.exe

File name: ewty.exe
Size: 343.02 KB (343024 bytes)
MD5: c4181641527876b95ec6cc7905949ad5
Detection count: 78
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: March 29, 2012

%System%folderus3r.ds.lll

File name: %System%folderus3r.ds.lll
Mime Type: unknown/lll
Group: Malware file

%System%folderus3r.ds

File name: %System%folderus3r.ds
Mime Type: unknown/ds
Group: Malware file

%System%folderl0cal.ds

File name: %System%folderl0cal.ds
Mime Type: unknown/ds
Group: Malware file

Registry Modifications

The following newly produced Registry Values are:

HKEY..\..\..\..{Subkeys}[HKEY_LOCAL_MACHINE\Microsoft\Windows NT\CurrentVersion\Winlogon] "UserInit" = "%originalvalue%, %system%d3dg86.exe,"[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\PhishingFilter] "Enabled" = 0 "EnabledV8" = 0[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter] "Enabled" = 0 "EnabledV8" = 0