Follow:

 

Virus:Win32/Zbot.C


Virus:Win32/Zbot.C is a detection for Win32 executables infected by particular variants of the PWS:Win32/Zbot family of bots. Typically, the  payload of these infected files is to download additional malware onto the system.


What to do now

To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

Virus:Win32/Zbot.C is a detection for Win32 executables infected by particular variants of the PWS:Win32/Zbot family of bots. Typically, the  payload of these infected files is to download additional malware onto the computer.
Installation
Virus:Win32/Zbot.C is a detection for executable files that are modified by other Win32/Zbot variants, such as PWS:Win32/Zbot.gen!Y.
Spreads via…
Infects files
Executable files that are modified by particular variants of PWS:Win32/Zbot.gen!Y are detected as Virus:Win32/Zbot.C. The Win32/Zbot.gen!Y infector modifies these files by inserting malicious code between the first and second sections of the Host file.  
Payload
Downloads and executes arbitrary files
Virus:Win32/Zbot.C infected files attempt to download an arbitrary file from a URL generated by the virus. The URL has a domain name that is generated based on the current system time.
 
The URL uses the following pattern:
 
http://<generated_domain_name>/forum/
 
It uses one of the following top level domains:
 
  • .com
  • .biz
  • .org
  • .net
  • .info
 
For example, in the wild, it has been observed generating domains such as:
 
  • unxfrlunuioqqc.org
  • qxmydvsootlpw.biz  
  • gmlgvrzoaeuqarp.com
 
The virus generates 90 of these URLs, saving the downloaded file to the %TEMP% directory.
 
At the time of writing, none of the generated domains were available.
 
Analysis by Amir Fouda

Symptoms

There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptoms.

Prevention


Alert level: Severe
First detected by definition: 1.93.562.0
Latest detected by definition: 1.93.562.0 and higher
First detected on: Oct 27, 2010
This entry was first published on: Dec 06, 2010
This entry was updated on: Apr 17, 2011

This threat is also detected as:
No known aliases