Virus:Win32/Zbot.C is a detection for Win32 executables infected by particular variants of the PWS:Win32/Zbot family of bots. Typically, the
payload of these infected files is to download additional malware onto the computer.
Virus:Win32/Zbot.C is a detection for executable files that are modified by other Win32/Zbot variants, such as PWS:Win32/Zbot.gen!Y.
Executable files that are modified by particular variants of PWS:Win32/Zbot.gen!Y are detected as Virus:Win32/Zbot.C. The Win32/Zbot.gen!Y infector modifies these files by inserting malicious code between the first and second sections of the Host file.
Downloads and executes arbitrary files
Virus:Win32/Zbot.C infected files attempt to download an arbitrary file from a URL generated by the virus. The URL has a domain name that is generated based on the current system time.
The URL uses the following pattern:
It uses one of the following top level domains:
For example, in the wild, it has been observed generating domains such as:
The virus generates 90 of these URLs, saving the downloaded file to the %TEMP% directory.
At the time of writing, none of the generated domains were available.
Analysis by Amir Fouda
There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptoms.