Follow:

 

Virus:Win32/Zbot.B


Virus:Win32/Zbot.B is a detection for a virus that infects Windows executable files and attempts to download arbitrary files from various domains.


What to do now

To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

Virus:Win32/Zbot.B is a detection for a virus that infects Windows executable files and attempts to download arbitrary files from various domains.
Spread via…
Infects files
Virus:Win32/Zbot.B infects Windows Portable Executable (PE) files. The virus routine uses a cavity infection method to insert its code into free space between the first and second sections of the host file.
Payload
Downloads and executes arbitrary files
Virus:Win32/Zbot.B infected files attempt to download an arbitrary file from a URL generated by the virus. The URL has a domain name that is generated based on the current system time.
 
The URL has the following pattern:
 
http://<generated_domain_name>/forum/
 
It uses one of the following top level domains:
  • .com
  • .biz
  • .org
  • .net
  • .info
 
In the wild, we have observed Virus:Win32/Zbot.B generating the following domains:
 
  • kzoildszuspuovoq.biz
  • fxkuintqxykyoq.net
  • shirquzmsjpdzmm.com
 
The virus generates 800 of these URLs, saving the downloaded file to the %TEMP% directory.
 
At the time of writing, if the virus contacts a domain that is active, the file it downloads is detected as PWS:Win32/Zbot.gen!Y.
 
Analysis by Amir Fouda

Symptoms

There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptoms.

Prevention


Alert level: Severe
First detected by definition: 1.93.562.0
Latest detected by definition: 1.93.562.0 and higher
First detected on: Oct 27, 2010
This entry was first published on: Oct 28, 2010
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Trojan horse Downloader.Generic10.WCF (AVG)
  • Trojan.Packed.196 (Dr.Web)
  • Trojan-Downloader.Win32.Murofet (Ikarus)
  • Generic.dx!ubo (McAfee)
  • W32/Murofet-A (Sophos)
  • Trojan.Win32.Generic!BT (Sunbelt Software)
  • Trojan.Fortemp!inf (Symantec)