Trojan.Zbot!gen4
Trojan.Zbot!gen4 is a generic detection technology to identify computer threats that belongs to Trojan.Zbot family. Files detected as Trojan.Zbot!gen4 are considered malicious and poses security risks on computer and its network environment. The Trojan uses social engineering a lot to spread itself on computers via the Internet. It continuously updates itself and propagates as spam email messages containing latest news and events.
Also Identified As:
Trojan-Spy:W32/Zbot (F-Secure), PWS-Zbot (McAfee), Trojan-Spy.Win32.Zbot (Kaspersky), Win32/Zbot (Microsoft), Troj/Zbot-LM (Sophos), Troj/TDSS-BY (Sophos), Troj/Zbot-LO (Sophos), Troj/Buzus-CE (Sophos), Sinowal.WUR (Panda Software)
Damage Level: High
Systems Affected: Windows 9x, 2000, XP, Windows Vista
Characteristics
The Trojan immediately identifies the current privilege on the target computer. For user that is logged-in with ordinary privilege, Trojan will place its files under %UserProfile%\Application Data folder. While if target has administrative privilege, files are dropped on %System% folder.
When Trojan.Zbot!gen4 is installed, it communicates to Command and Control server (C&C) and download configuration file and receive supplementary instructions.
With its backdoor capabilities, Trojan.Zbot!gen4 can perform malicious actions on the infected computer including the following:
- Make system unstable by deleting system and driver files
- Disable access to certain web site by blocking specific URL
- Modify Internet browser’s default home page to redirect user to unsolicited web page
- Execute or upload local files
- Download and execute additional malicious files from a remote location
Distribution
Trojan.Zbot!gen4 spreads in various methods and one of which is through spam email campaign. The email will consists of interesting message that pretends to be from an established company like Microsoft, FaceBook, Yahoo, or Google. There are also instances that email arrives with appealing subjects that involve celebrities, politician and recent events.
Additionally, drive-by-download method may drop this Trojan on computers anonymously when gullible user visits an unfamiliar web site. The method will exploit vulnerabilities that are commonly discovered on outdated Internet browser and security holes.
Added Registry Entries:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Userinit" = "%System%\userinit.exe, %System%\sdra64.exe" HKEY_CURRENT_USER\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\”userinit” = “%UserProfile%\Application Data\sdra64.exe”Associated Files and Folders:
%UserProfile%\Application Data\ntos.exe %UserProfile%\Application Data\oembios.exe %UserProfile%\Application Data\twext.exe %UserProfile%\Application Data\sdra64.exe %UserProfile%\Application Data\pdfupd.exe %UserProfile%\Application Data\video.dll %UserProfile%\Application Data\sysproc32.sys %UserProfile%\Application Data\user.ds %UserProfile%\Application Data\ldx.exe
How to Remove Trojan.Zbot!gen4
1. Temporarily Disable System Restore (Windows Me/XP). [how to]
2. To be able to identify even the most recent variant of Trojan.Zbot!gen4, open your antivirus application and update the virus definition file.
3. Start Windows in Safe Mode with Networking.
- From a power-off state, turn on the computer and press F8 on your keyboard repeatedly.
- Your computer will display Windows Advanced Boot Options menu. Please select Safe Mode with Networking.
- The system will now boot Windows and loads only necessary drivers and files.
4. Open your antivirus program and run a full system scan. After the scan, delete all infected items. If unable to delete, better place them in quarantine. Once the scan is complete, please proceed with the next step.
Scan with Norton Power Eraser:
Additional virus removal tool like Norton Power Eraser provides deep scanning technology to eliminate other threats not detected by a normal virus scan. Use this tool with extra caution.
5. Go to this link and download Norton Power Eraser.
6. Once the download completes, double click on the file NPE.exe to run the program.
7. It will prompt for End User License Agreement, click on Accept to continue.
8. On NPE main window, click on Scan. Then select Exclude Rootkit Scan. Click on Continue to proceed.
9. Virus scanning may take some time. After running the scan, NPE will display the scan result.
Important! If there are any detected threats under Suspicious, remove the check mark. Only threats in Detected category are necessary to remove at this point. Make sure that you mark the Create System Restore Point before proceeding with the fix.
10. Now click on Fix to start removing the threats including Trojan.Zbot!gen4 remnants if there are any.
11. When done, Norton Power Eraser will restart the computer. Then after a reboot, it will initialize and display the eliminated threats.
12. You may now close Norton Power Eraser.