Virus:Win32/Zbot.B is a detection for a virus that infects Windows executable files and attempts to download arbitrary files from various domains.
Virus:Win32/Zbot.B infects Windows Portable Executable (PE) files. The virus routine uses a cavity infection method to insert its code into free space between the first and second sections of the host file.
Downloads and executes arbitrary files
Virus:Win32/Zbot.B infected files attempt to download an arbitrary file from a URL generated by the virus. The URL has a domain name that is generated based on the current system time.
The URL has the following pattern:
It uses one of the following top level domains:
In the wild, we have observed Virus:Win32/Zbot.B generating the following domains:
The virus generates 800 of these URLs, saving the downloaded file to the %TEMP% directory.
At the time of writing, if the virus contacts a domain that is active, the file it downloads is detected as PWS:Win32/Zbot.gen!Y
Analysis by Amir Fouda