Trojan.Spy.ZBot.EH
MEDIUM
MEDIUM
~50KB
(Trojan-Spy.Win32.Zbot.clg
Tr/Spy.Zbot.clg)
Symptoms
- the presence of file: ntos.exe in %WINDIR%\system32\ folder or C:\Documents and settings\%username%\Application Data\.
- the presence of the following registry key:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
userinit="%WINDIR%\system32\userinit.exe,%WINDIR%\system32\ntos.exe"
or
userinit="%WINDIR%\system32\userinit.exe,C:\Documents and settings\%username%\Application Data\ntos.exe"
Removal instructions:
Please let BitDefender disinfect your files.
Analyzed By
Sorin Ciorceri, virus researcher
Technical Description:
At execution this malware is a trojan that copies itself in %WINDIR%\system32\ntos.exe (or C:\Documents and settings\%username%\Application Data\) and he will create a registry key in order to make sure it will be executed after every reboot.
He will inject in svchost.exe and winlogon.exe and he can provide backdoor and proxy server capabilities.
SHARE
THIS ON