Trojan.Zbot

Trojan.Zbot Description

Type: Trojan

Trojan.Zbot is a fairly generic backdoor Trojan infection that is closely linked to Mal/VB-AER and the Zeus Trojan, one of the most infamous malware infections. Since 2007, Trojan.Zbot has made headlines when Trojan.Zbot was used to infiltrate and steal information from the Transportation Department of the United States. Since March of 2009, Trojan.Zbot and the Zeus Trojan became widespread, infecting millions of computer from all around the world. ESG security researchers detected thousands of FTP servers of some of the most popular websites that were infected with the Zeus Trojan and Trojan.Zbot. Malware analysts estimate that the botnets associated with Trojan.Zbot cost billions of dollars every year and that a large percentage of phishing messages on Facebook and in spam emails are sent in order to spread malware associated with Trojan.Zbot. In the fall of 2010, the FBI cracked down on the criminal network thought to be responsible for an attack using Trojan.Zbot and the Zeus Trojan that resulted in the theft of more than seventy million dollars from American banks. About ninety people were arrested in relation to these criminal acts in the United States, the Russian Federation, the United Kingdom and Ukraine. In 2011, PC security researchers are facing a serious challenge since the source code of Zeus Trojan and Trojan.Zbot were leaked to the public, enabling practically anyone to use Trojan.Zbot to perform their own attacks.

Is Your Computer System in Danger from Trojan.Zbot?

While malware associated with Trojan.Zbot is not confined to a single area, the five countries with the highest incidence of infection are Mexico, Egypt, Saudi Arabia, the United States and Turkey. As of today, this malware infection is linked to the largest botnets known to PC security researchers. If your operating system is not Windows, then you are safe from Trojan.Zbot. This malware infection can only attack computer system with the Windows Operating system. Users of Windows Vista and Windows Vista SP1 operating systems are particularly vulnerable and form the majority of computer systems integrating this network of infected computers. Each criminal can fine tune their infection in order to steal different data, although Trojan.Zbot is mostly linked to credit card and online banking account information theft. However, these can also be used to steal login information for email or social media accounts.

Aliases

15 security vendors flagged this file as malicious.

Anti-Virus Software Detection
AVG Generic7_c.BULS
Fortinet W32/Bublik.AKIQ!tr
Ikarus Backdoor.Win32.DarkKomet
AhnLab-V3 Trojan/Win32.Jorik
McAfee-GW-Edition Heuristic.BehavesLike.Win32.Suspicious-BAY.S
AntiVir TR/Rogue.8877826.1
DrWeb Trojan.PWS.Stealer.1932
Kaspersky Trojan.Win32.Bublik.akiq
Avast AutoIt:MalOb-J [Trj]
McAfee Artemis!1C946EE5948C
AVG Generic32.CDAA
Ikarus Trojan.Win32.Spy2
DrWeb Trojan.PWS.Multi.1119
Kaspersky Trojan-Dropper.Win32.Agent.hjwv
Fortinet W32/Jorik_Zbot.PLC!tr

Technical Information

File System Details

Trojan.Zbot creates the following file(s):
# File Name MD5 Detection Count
1 GoogleUpdate.exe de75d9858dd25f83ee666c4890367023 157
2 ace.exe.exe 2af6923df61c3800fb4957cd5163646d 118
3 juzjf.exe dfda2db5ed7c417c9fececd8f5f48653 85
4 userinit.exe f01443167573144e3cf25b079a73226d 81
5 sys_config.exe 2c770a08cf50a31e138aa505c81a8cb4 38
6 Elgato.exe d9a57b7f55011099f22eac398f8683a3 20
7 bbotxxxxxx.exe 02d7b03f126ced200af04cafffbf4f66 18
8 svchost77.exe 4063dc3346591414467dea192e4de47d 17
9 server.exe 1c946ee5948c6d23847688c7d5fb8ebd 15
10 sdfjaidhuw.exe a6a2e40b6bfaf60a5f096117a53a5ddb 14
11 _ex-08.exe 7e691e6b40593bf4cbab65ab8aa71f68 14
12 Defcon.exe 02dbd6164feb882e0c5fbd546ded3781 13
13 wgsdgsdgdsgsd.exe d4c60f32496ae92c5a53bda45d28937d 9
14 crss.exe 733032ca6f13e38740fc4416eee0a0d4 9
15 oshdo.dll 267433320dc37f9369aef2aeaae68499 5
16 0.0863059484879578.exe b3f35490864b39475bd5d8e9a12a0f08 3
17 Recycle.Bin.exe 5ed168874559f43720d9a79b20c89d9f 3
18 B6232F3A6E7.exe 96cb97d9c4f61ab61cfad5a60606f242 3
19 0.2778958902928622.exe f4f2bd07bfaf360b2ba596d134df76e3 2
20 auaucdlve.exe cab45be12136d15f2958b1ca575131b4 2
21 MaelXpers.exe a69349baf03c5a5f8dac25232ae55a8d 2
22 9E787BEFEC0.exe c0397b8114fb367b3ea3d1a9d5bde409 1
23 dcratnewfud.exe e7fad45a14545e19debf752ebb4c7510 1
24 {14003D43-1705-1636-2800-333714001D1F}.exe 604fdaa1fd4e335f26032fd416a5461b 1
25 apijcajxv.exe 70383d5dd9b91c425b0107cf1e6c7b55 1
26 dwtray.exe aa872cb97a821e7736ba479558acfe78 1
27 file.exe 829d8db0a02b42ebb83f69270e866f5c 1
28 shortcuts.exe 5cb5a2617939cc2428f4f24b9f56421f 1
More files

Registry Details

Trojan.Zbot creates the following registry entry or registry entries:
Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Userinit" = "%System%\userinit.exe, %System%\sdra64.exe"
Regexp file mask
%APPDATA%\Microsoft\Windows\ScreenToGif\netprotocol.exe
%USERPROFILE%\winsvcs.exe
Run Keys
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"userinit" = "%UserProfile%\Application Data\sdra64.exe"

More Details on Trojan.Zbot

The following URL's were found:
Tip: We recommend blocking the domain names as well as the IP addresses associated with them.
  • 2sdfhs8d7fsh34d8f7s.org
  • 51qn.net
  • av4321.us
  • batmu.cn
  • clicksurfcash.net
  • crisis1s.com
  • fordearfriends.com
  • hotdomainworld.info
  • kakajz.cn
  • lilj.us
  • sfqjsf.cn
  • skp360.com

Related Posts

Site Disclaimer

Enigmasoftware.com is not associated, affiliated, sponsored or owned by the malware creators or distributors mentioned on this article. This article should NOT be mistaken or confused in being associated in any way with the promotion or endorsement of malware. Our intent is to provide information that will educate computer users on how to detect, and ultimately remove, malware from their computer with the help of SpyHunter and/or manual removal instructions provided on this article.

This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your computer. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.