Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Spy.ZBot.EB.40
Date discovered:23/02/2011
Type:Trojan
In the wild:No
Reported Infections:Medium
Distribution Potential:Low
Damage Potential:Low to medium
Static file:No
VDF version:7.10.09.13
IVDF version:7.11.03.207 - Wednesday, February 23, 2011

 General Method of propagation:
   • No own spreading routine


Platforms / OS:
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7


Side effects:
   • Drops files
   • Lowers security settings
   • Records keystrokes
   • Registry modification
   • Steals information

 Files  It copies itself to the following location. This file has random bytes appended or changed so it may differ from the original one:
   • %HOME%\Application Data\%random character string%\%random character string%.exe



It deletes the initially executed copy of itself.



The following files are created:

– Non malicious file:
   • %HOME%\Application Data\%random character string%\%four-digit
      random character string%
.%three-digit random character string%

%TEMPDIR%\tmp%hex values%.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.

 Registry The following registry key is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows\Currentversion\Run]
   • "%CLSID%"="\"%HOME%\Application Data\%random character string%\%random character string%.exe\""



The following registry keys are changed:

Lower security settings from Internet Explorer:

– [HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings]
   New value:
   • "MigrateProxy"=dword:00000001
   • "ProxyEnable"=dword:00000000
   • "ProxyServer"=-
   • "ProxyOverride"=-
   • "AutoConfigURL"=-

– [HKCU\Software\Microsoft\Internet Explorer\Privacy]
   New value:
   • "CleanCookies"=dword:00000000

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\0]
   New value:
   • "1609"=dword:00000000

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\1]
   New value:
   • "1406"=dword:00000000
   • "1609"=dword:00000000

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\2]
   New value:
   • "1609"=dword:00000000

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\3]
   New value:
   • "1406"=dword:00000000
   • "1609"=dword:00000000

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\4]
   New value:
   • "1406"=dword:00000000
   • "1609"=dword:00000000

 Injection – It injects itself as a remote thread into processes.

It is injected into all processes.


 Miscellaneous Internet connection:

It queries with the name:
   • furer**********.com

Description inserted by Alexander Bauer on Friday, February 25, 2011
Description updated by Alexander Bauer on Friday, February 25, 2011

Back . . . .