Trojan.Spy.ZBot.EPU

SYMPTOMS:

The presence of the following file:
     -"%Documents and Settings%\%user name%\Application Data\*random name1*\*random name2*.exe"
This file should also be refferred in the "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" registry key.

It also creates two files wtih random names in the following folder
    %Documents and Settings%\%user name%\Application Data\*random name3*\

TECHNICAL DESCRIPTION:

        At execution this malware creates a folder with a random name in "%Documents and Settings%\%user name%\Application Data\" and then copies itself in the newly created folder under a new random name(e.g.:"Ihik\rayqa.exe","Mytu\arkik.exe"...).

       It will execute the newly created copy, which will drop a batch file that will delete the original file and the batch file itself. After this, the newly created process will inject malicious code in various running processes(e.g.: "explorer.exe","ctfmon.exe"...). This allows the malware to  run his code and to connect to the internet,to send private data or to download other malware programs, invisible to the user. After the code injection is complete this process will close.

     From the injeceted code it creates a new registry value under "HKCU\Software\Microsoft\CurrentVersion\Windows\Run" registry key in order to restart the malware after each reboot. This registry values is created continuosly, making the user  unable to delete it.

Removal instructions:

Please let BitDefender disinfect your files.

ANALYZED BY: