Virus:Win32/Zbot.C is a detection for Win32 executables infected by particular variants of the PWS:Win32/Zbot family of bots. Typically, the
payload of these infected files is to download additional malware onto the computer.
Virus:Win32/Zbot.C is a detection for executable files that are modified by other Win32/Zbot variants, such as PWS:Win32/Zbot.gen!Y.
Executable files that are modified by particular variants of PWS:Win32/Zbot.gen!Y are detected as Virus:Win32/Zbot.C. The Win32/Zbot.gen!Y infector modifies these files by inserting malicious code between the first and second sections of the Host file.
Downloads and executes arbitrary files
Virus:Win32/Zbot.C infected files attempt to download an arbitrary file from a URL generated by the virus. The URL has a domain name that is generated based on the current system time.
The URL uses the following pattern:
It uses one of the following top level domains:
For example, in the wild, it has been observed generating domains such as:
The virus generates 90 of these URLs, saving the downloaded file to the %TEMP% directory.
At the time of writing, none of the generated domains were available.
Analysis by Amir Fouda